Solved: I need to combine two results names into one

streetdoc123 · ‎08-31-2017

So search command | stats count by user | want to rename or combine the two results into same name

i.e.
User ** **Count
eid 1234abc 2
Bobbie Smith 12

kmaron · ‎09-05-2017

Try this:

eval UserCount = User.Count

View solution in original post

streetdoc123 · ‎09-05-2017

I'll try it. Thanks for the help.

streetdoc123 · ‎09-05-2017

Thanks, I'll try that.

kmaron · ‎09-05-2017

Try this:

eval UserCount = User.Count

somesoni2 · ‎08-31-2017

Assuming you'll not always get two rows from your stats, how do you relate a name with user_id? Do you've any lookup or any other source which contains this mapping?

streetdoc123 · ‎09-01-2017

I don't know what you are asking. The results show up as a user ID, then the user name appears in the table value as well. I have several that show up as both name and eID, which I need to combine them for alert reporting purposes. The count shows them both as well.

User Count
Bobbie Smith 12
eID 1234abc . (Also Bobbie Smith) 2
Not sure if the format for the tables and columns are showing up well enough.

DalJeanis · ‎09-01-2017

@streetdoc123 - @somesoni2 is asking, "How will the search program determine which user name goes with which id?"

Is there a table somewhere that has...

eid         Name
1234abc    Bobbie Smith
2345def    J Jonah Jamieson

cmerriman · ‎09-01-2017

Is this a multi value field? Can you provide syntax that is getting you to this point ?

I need to combine two results names into one

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

I need to combine two results names into one

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2