Splunk Search

How to display different count of event by user

papemalik
Explorer

Hello,

I would like the display by user, different count.

For example: i have several rule such as M, N, O, P, Q . for each user A (for instance) i would like to display the count of each event related to the rules and have a risk score.

user-----rule-----count----total_count
A----------M----------2----------6
-----------N----------3----------

-----------O----------1----------

for now i can do the total_count but not the detailed count.

Thank you in advance for your help

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

View solution in original post

papemalik
Explorer

@rjthibod it works but for instance when a user has 2 rules, it shows the user's name twice.
For the risk score, we set up a value a risk value for each rule so that the risk for a user increments when he/she hit a rule. The goal is to show the risk score at the end.

@somesoni2 ♦ it works perfect, now i have to add the risk score.

Thank you guys for your help

0 Karma

somesoni2
Revered Legend

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

rjthibod
Champion

You want to use something like stats to get the individual counts per rule and user and then eventstats to add the total count per user.

You will to post more information in order to get help about the "risk score". Not sure what you are trying to calculate.

YOUR SEARCH ... 
| stats count as count by user rule 
| eventstats sum(count) as total_count by user
| table user rule count total_count
| sort +user
0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...