Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display different count of event by user

papemalik
Explorer
‎12-26-2016 03:14 AM

Hello,

I would like the display by user, different count.

For example: i have several rule such as M, N, O, P, Q . for each user A (for instance) i would like to display the count of each event related to the rules and have a risk score.

user-----rule-----count----total_count
A----------M----------2----------6
-----------N----------3----------

-----------O----------1----------

for now i can do the total_count but not the detailed count.

Thank you in advance for your help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-26-2016 12:29 PM

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

View solution in original post

Reply
Solved! Jump to solution

papemalik
Explorer
‎12-27-2016 01:55 AM

@rjthibod it works but for instance when a user has 2 rules, it shows the user's name twice.
For the risk score, we set up a value a risk value for each rule so that the risk for a user increments when he/she hit a rule. The goal is to show the risk score at the end.

@somesoni2 ♦ it works perfect, now i have to add the risk score.

Thank you guys for your help

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-26-2016 12:29 PM

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user
Reply
Solved! Jump to solution

rjthibod
Champion
‎12-26-2016 07:27 AM

You want to use something like stats to get the individual counts per rule and user and then eventstats to add the total count per user.

You will to post more information in order to get help about the "risk score". Not sure what you are trying to calculate.

YOUR SEARCH ... 
| stats count as count by user rule 
| eventstats sum(count) as total_count by user
| table user rule count total_count
| sort +user
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...