Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create an iterative search

timbCFCA
Path Finder
‎08-20-2012 11:15 AM

I'm trying to correlate my printer entries along the top printer / user combination line.
What I'm looking for in the way of output would be something like:

printer name 1 | user name 1 | user name 1 count | user name 2 | user name 2 count | ... etc. 
printer name 2 | user name 3 | user name 3 count | user name 2 | user name 2 count | ... etc.

I have a search prepared to locate the printer names in the first column:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ | table Printer_Name | dedup Printer_Name

I also have a search that provides the data I want for the remaining columns:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ Printer_Name=PR-EAST | chart count by Printer_Name, evtuser

How do I glue these together to get the results I need? I'd rather not have to run hundreds of these queries by hand. I looked at subsearches and it doesn't look like that does quite what I need.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-20-2012 11:23 AM

Do it all in one search try:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ Printer_Name=*| stats count by Printer_Name, evtuser | sort 0 Printer_Name, evtuser | stats list(evtuser) as users list(count) as counts by Printer_Name

This will give you each printer and then the users and counts in mv fileds. You can use further eval commands to pivot them into columns if you like. If you want one mv field just eval them together before final stats:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ Printer_Name=*| stats count by Printer_Name, evtuser | sort 0 Printer_Name, evtuser | eval data=evtuser+":"+count | stats list(data) as data by Printer_Name

Hope that helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-20-2012 11:23 AM

Do it all in one search try:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ Printer_Name=*| stats count by Printer_Name, evtuser | sort 0 Printer_Name, evtuser | stats list(evtuser) as users list(count) as counts by Printer_Name

This will give you each printer and then the users and counts in mv fileds. You can use further eval commands to pivot them into columns if you like. If you want one mv field just eval them together before final stats:

evtid=10 host=print1* OR host=print2* NOT evtuser=*$ Printer_Name=*| stats count by Printer_Name, evtuser | sort 0 Printer_Name, evtuser | eval data=evtuser+":"+count | stats list(data) as data by Printer_Name

Hope that helps!

Reply
Solved! Jump to solution

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-20-2012 12:40 PM

change the order in the sort pipeline to include count. (I assume you still want it by printer)
... | sort 0 Printer_Name, count, evtuser | ...

0 Karma
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎08-20-2012 11:28 AM

How do I sort the output of the stats by the count statement?

0 Karma
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎08-20-2012 11:25 AM

Perfect. I just wasn't sure what the necessary syntax was.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...