Splunk Search

Need help editing my search string so it displays correctly on visualization chart

jcorkey
Explorer

Below is my search string:

| multisearch [search index="*" host="*" sourcetype="*" user="*" useradd  "type=ADD_GROUP" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="*" sourcetype="*"  "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P\w+)" | eval rectype3= "Switched to different user account"] [search index=* host=* sourcetype="*" user="*" "type=USER_CMD"(action=success OR action=failure OR action=unknown) | eval rectype4="Executed sudo command"] | stats dc(rectype4) as "Executed sudo command", dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user

Below is my image of the results:

alt text

You can see that these users have committed these actions listed on the right side of the chart such as, executing sudo commands, creating new users etc etc and that why they are listed on the chart, however, each bar for each user is the same height as the others. I want the bars to be measured buy the count of how many times a user has commit these actions. For example, if user hacker switches to a different user account 5 different times, that yellow block will be at a height of 5 according to a numbered range on the left side of the chart. Right now the numbered range on the left side is 0.5 to 1.5 and I don't understand why that is.

how can I accomplish this?

0 Karma
1 Solution

niketnilay
Legend

@jcorkey, change from distinct count i.e. dc() to count i.e. count()

| stats count(rectype4) as "Executed sudo command", count(rectype3) as "Switched to different user account" , count(rectype2) as "Added new user to group", count(rectype1) as "Created new user" by user
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@jcorkey, change from distinct count i.e. dc() to count i.e. count()

| stats count(rectype4) as "Executed sudo command", count(rectype3) as "Switched to different user account" , count(rectype2) as "Added new user to group", count(rectype1) as "Created new user" by user
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.