Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Table of count of specific user action by unique user

RVDowning
Contributor
‎09-19-2014 12:04 PM

I would like to create a table similar to the following:

Of Reports Created Users %

>10                                23              3
 10                                4               1
  9                                3               0
  8                                3               0
  .
  .
  .
  1                               433             57

The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport"

So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-19-2014 04:43 PM 
sourcetype="xyz" host=MA* Mthd="CreateReport"
| stats count as reportcount by user 
| eval reportcount=if(reportcount<10,tostring(reportcount),">10")
| stats dc(user) as numusers by reportcount
Reply

somesoni2
Revered Legend
‎09-19-2014 12:40 PM

try this

sourcetype="xyz" host=MA* Mthd="CreateReport" | stats count by User | eval ReportCount=case(count=1,"1",count=2,"2"...and so on, count=10="10", 1=1,"10 or more") | stats count by ReportCount
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...