Solved: How to edit my search to create a table listing sp...

jdepp · ‎07-20-2016

I am trying to display a table that lists specific fields, but also a stats count of one of the fields. It works, but then one of the remaining fields does not display anything.

Search String

source="/data.cycletimes/tcp/10039" | stats sum(totalPosts) as "Total New Posts" by user | rename startDate as "First Post"   | table user, "First Post" ,"Total New Posts

In the above all columns display the total except the "First Post" field. Also I would like to group it by user so that each user only appears once.
I get it to work with this search, but then user appears more than once.

source="/data.cycletimes/tcp/10039" | stats sum(totalPosts) as "Total New Posts" by user, startDate | rename startDate as "First Post"   | table user, "First Post" ,"Total New Posts"

Appreciate any response and help.

somesoni2 · ‎07-20-2016

Try like this

source="/data.cycletimes/tcp/10039" | stats first(startDate) as "First Post" sum(totalPosts) as "Total New Posts"  by user

View solution in original post

somesoni2 · ‎07-20-2016

Try like this

source="/data.cycletimes/tcp/10039" | stats first(startDate) as "First Post" sum(totalPosts) as "Total New Posts"  by user

jdepp · ‎07-25-2016

thanks. Appreciate it

How to edit my search to create a table listing specific fields and a stats count?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?