Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sort and Grouping Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
this might sound stupid. I am trying to query and table host, COMMAND and USER which works fine. But is it possible to group the host? I want to display each COMMAND and USER value under one host name.
Host COMMAND USER
www.off.dus.acompany.com ini_t root
kthreadt root
ksoftirqd root
migration root
watdog/0 root
mirtion/1 root
ksoftqd/1 root
www.off.ber.bcompany.com ini_t root
kthreadt root
ksoftirqd root
migration root
watdog/0 root
mirtion/1 root
ksoftqd/1 rootThis is all I got
sourcetype=pu OR sourcetype=tik COMMAND | multikv | table host COMMAND USERIn terms of visuals it is almost the same case as the following link
http://splunk-base.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table
Thanks in advance for your help.
Best regards
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats list() will keep duplicate user-command tuples.
sourcetype=pu OR sourcetype=tik COMMAND
| multikv
| strcat "[" USER "] " COMMAND user_command
| stats list(user_command) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats list() will keep duplicate user-command tuples.
sourcetype=pu OR sourcetype=tik COMMAND
| multikv
| strcat "[" USER "] " COMMAND user_command
| stats list(user_command) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
replace "| stats list(user_command) by host" with "| stats list(user_command) count dc(user_command) as distinct_count by host"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw how do I now count the values in the field list(user_command)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! Thank you very much!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not very nice, but you can group the COMMAND and USER on a single columns and try the commands values().
mysearch | eval command_user= COMMAND." ".USER
| stats values(command_user) AS list_command_user by host
But the duplicates will be removed, so if you really need the count, add some magic.
mysearch | eval command_user= COMMAND." ".USER
| stats count by command_user host
| eval command_user_count=command_user." [".count."]"
| stats values(command_user_count) AS list_command_user_count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, i copy&pasted eval command_user= COMMAND." ".USER
| stats values(command_user) AS list_command_user by host. But it shows only the hosts. Is there anything I need to do else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps mvcombine could be used? http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvcombine
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
