How to search for serach with 746 lines

bond77s · ‎01-27-2025

I need help with the structure of this search

index=indexname

I need help with the structure of this search 
I would like to display the username, the group and the connection method
|stats count by username, group, connection method
|sort -count

bond77s · ‎01-27-2025

I just want to check an index for the following information and it to be displayed in a chart

I looking for help with the structure of the search

the username, the group and the connection method

bowesmana · ‎01-27-2025

So, you do

| stats count by user group "connection method"

if those are the names of your fields.

isoutamo · ‎01-27-2025

If you have a field called “connection method” you must surround it with ’ (use single ‘ in both side of field name). This told to splunk that those are field name, not two separate fields.

|stats count by username, group, 'connection method'

bowesmana · ‎01-27-2025

@isoutamo actually no, in stats for that type of field name it requires double quotes. It's eval that requires single quotes on RHS of expression.

isoutamo · ‎01-27-2025

Thanx, I usually rename those fields as remove spaces. In that way it’s much easier to use those.

bowesmana · ‎01-27-2025

What does that mean and what have you tried that you need help with and what is not doing what you expect?

How to search for serach with 746 lines

stats

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to search for serach with 746 lines

stats

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard