How to display SPL to chart events?

adamsmith47 · ‎03-24-2022

I have a search I can compose using multiple appends and sub-searches to accomplish, but I assume there's an easier way I'm just not seeing, and hoping someone can help. (maybe using | chart?)

Essentially, I have a set of user login data... username and login_event (successful, failed, account locked, etc...).

I'd like to display a chart showing total events (by login_event) and distinctive count by username, which might look like below:

login_event	count
successful	1600
failed	200
account locked	10
successful (distinct usernames)	1200
failed (distinct usernames)	50
account locked (distinct usernames)	9

PickleRick · ‎03-24-2022

Ok, let's analyze what you want to get from your search.

You have three different types of login_event and you want to count occurrences of each of them as well as distinct values of username field associated with each of those types of events.

So the first part is what kind of summary you want to get

<your search> | stats count dc(username)

You want count of events as well as count of distinct values of username field.

Now you need to tell splunk how to split the values. You want separate stats for each value of the login_event field. So you add

by login_event

And you're pretty much home - you should get all the information you need.

If you don't like the layout (you should get 3x2 table) you can try to use untable. But that's another story.

How to display SPL to chart events?

chart

stats

table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life