Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display SPL to chart events?

adamsmith47
Communicator
‎03-24-2022 11:46 AM

I have a search I can compose using multiple appends and sub-searches to accomplish, but I assume there's an easier way I'm just not seeing, and hoping someone can help. (maybe using | chart?)

Essentially, I have a set of user login data... username and login_event (successful, failed, account locked, etc...).

I'd like to display a chart showing total events (by login_event) and distinctive count by username, which might look like below:

login_event count
successful 1600
failed 200
account locked 10
successful (distinct usernames) 1200
failed (distinct usernames) 50
account locked (distinct usernames) 9
Labels (3)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-24-2022 01:14 PM

Ok, let's analyze what you want to get from your search.

You have three different types of login_event and you want to count occurrences of each of them as well as distinct values of username field associated with each of those types of events.

So the first part is what kind of summary you want to get

<your search> | stats count dc(username)

You want count of events as well as count of distinct values of username field.

Now you need to tell splunk how to split the values. You want separate stats for each value of the login_event field. So you add

by login_event

And you're pretty much home - you should get all the information you need.

If you don't like the layout (you should get 3x2 table) you can try to use untable. But that's another story.

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...