Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to display SPL to chart events?

adamsmith47
Communicator
‎03-24-2022 11:46 AM

I have a search I can compose using multiple appends and sub-searches to accomplish, but I assume there's an easier way I'm just not seeing, and hoping someone can help. (maybe using | chart?)

Essentially, I have a set of user login data... username and login_event (successful, failed, account locked, etc...).

I'd like to display a chart showing total events (by login_event) and distinctive count by username, which might look like below:

login_event count
successful 1600
failed 200
account locked 10
successful (distinct usernames) 1200
failed (distinct usernames) 50
account locked (distinct usernames) 9
Labels (3)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-24-2022 01:14 PM

Ok, let's analyze what you want to get from your search.

You have three different types of login_event and you want to count occurrences of each of them as well as distinct values of username field associated with each of those types of events.

So the first part is what kind of summary you want to get

<your search> | stats count dc(username)

You want count of events as well as count of distinct values of username field.

Now you need to tell splunk how to split the values. You want separate stats for each value of the login_event field. So you add

by login_event

And you're pretty much home - you should get all the information you need.

If you don't like the layout (you should get 3x2 table) you can try to use untable. But that's another story.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...