Splunk Search

I would like to create a table similar to the following:

Of Reports Created Users %

>10                                23              3
 10                                4               1
  9                                3               0
  8                                3               0
  .
  .
  .
  1                               433             57

The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport"

So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.

sourcetype="xyz" host=MA* Mthd="CreateReport"
| stats count as reportcount by user 
| eval reportcount=if(reportcount<10,tostring(reportcount),">10")
| stats dc(user) as numusers by reportcount

try this

sourcetype="xyz" host=MA* Mthd="CreateReport" | stats count by User | eval ReportCount=case(count=1,"1",count=2,"2"...and so on, count=10="10", 1=1,"10 or more") | stats count by ReportCount

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...