Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to display different count of event by user

papemalik
Explorer
‎12-26-2016 03:14 AM

Hello,

I would like the display by user, different count.

For example: i have several rule such as M, N, O, P, Q . for each user A (for instance) i would like to display the count of each event related to the rules and have a risk score.

user-----rule-----count----total_count
A----------M----------2----------6
-----------N----------3----------

-----------O----------1----------

for now i can do the total_count but not the detailed count.

Thank you in advance for your help

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution

Re: How to display different count of event by user

rjthibod
Champion
‎12-26-2016 07:27 AM

You want to use something like stats to get the individual counts per rule and user and then eventstats to add the total count per user.

You will to post more information in order to get help about the "risk score". Not sure what you are trying to calculate.

YOUR SEARCH ... 
| stats count as count by user rule 
| eventstats sum(count) as total_count by user
| table user rule count total_count
| sort +user
0 Karma
Reply
Highlighted
Solved! Jump to solution
Solution

Re: How to display different count of event by user

somesoni2
SplunkTrust
SplunkTrust
‎12-26-2016 12:29 PM

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: How to display different count of event by user

papemalik
Explorer
‎12-27-2016 01:55 AM

@rjthibod it works but for instance when a user has 2 rules, it shows the user's name twice.
For the risk score, we set up a value a risk value for each rule so that the risk for a user increments when he/she hit a rule. The goal is to show the risk score at the end.

@somesoni2 ♦ it works perfect, now i have to add the risk score.

Thank you guys for your help

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.