Splunk Search

I need to combine two results names into one

streetdoc123
New Member

So search command | stats count by user | want to rename or combine the two results into same name

i.e.
User ** **Count
eid 1234abc 2
Bobbie Smith 12

0 Karma
1 Solution

kmaron
Motivator

Try this:

eval UserCount = User.Count

View solution in original post

0 Karma

streetdoc123
New Member

I'll try it. Thanks for the help.

0 Karma

streetdoc123
New Member

Thanks, I'll try that.

0 Karma

kmaron
Motivator

Try this:

eval UserCount = User.Count
0 Karma

somesoni2
Revered Legend

Assuming you'll not always get two rows from your stats, how do you relate a name with user_id? Do you've any lookup or any other source which contains this mapping?

0 Karma

streetdoc123
New Member

I don't know what you are asking. The results show up as a user ID, then the user name appears in the table value as well. I have several that show up as both name and eID, which I need to combine them for alert reporting purposes. The count shows them both as well.

User Count
Bobbie Smith 12
eID 1234abc . (Also Bobbie Smith) 2
Not sure if the format for the tables and columns are showing up well enough.

0 Karma

DalJeanis
Legend

@streetdoc123 - @somesoni2 is asking, "How will the search program determine which user name goes with which id?"

Is there a table somewhere that has...

eid         Name
1234abc    Bobbie Smith
2345def    J Jonah Jamieson
0 Karma

cmerriman
Super Champion

Is this a multi value field? Can you provide syntax that is getting you to this point ?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...