Splunk Search

I would like to create a table similar to the following:

Of Reports Created Users %

>10                                23              3
 10                                4               1
  9                                3               0
  8                                3               0
  .
  .
  .
  1                               433             57

The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport"

So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.

sourcetype="xyz" host=MA* Mthd="CreateReport"
| stats count as reportcount by user 
| eval reportcount=if(reportcount<10,tostring(reportcount),">10")
| stats dc(user) as numusers by reportcount

try this

sourcetype="xyz" host=MA* Mthd="CreateReport" | stats count by User | eval ReportCount=case(count=1,"1",count=2,"2"...and so on, count=10="10", 1=1,"10 or more") | stats count by ReportCount

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...