Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Table with true and false (column) counts for specific users (rows)

Matthew86
Explorer
‎08-07-2020 07:10 AM
Hi there, 
 

I have just started using Splunk and it is quite alien to me. Hope you guys can help me out! I have the following search setup: 

 

User_ID=B123456 

| streamstats current=f window=1 last(Agent) as Prev_Agent

| eval Agent_Change= if(Agent==Prev_Agent, "True", "False")

Table Agent, Agent_Change

 

Basically, it is evaluating if the value of the field Agent is equal to the previous value for each event of a specific User (User_ID=B123456) Currently, it looks like this: 

 

Agent         |           Agent_Change

rgrg1          |           True 

rgrg1          |           True 

rgrg1          |           False 

ytyt4          |           False 

rgrg1          |           True 

rgrg1          |           True 

rgrg1          |           True 

 

I would like to count the total amount of True and False values for multiple Users (User_ID) and display it in a one table. 

 

                                        True                  False

B123456         |           55          |          76

B654321         |           22          |          82

B567890         |           87          |          99

B098765         |          12           |          33

 

Hope someone can help me out or at least point me in the right direction.

Much appreciated! 

Matthew

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:19 AM

can you share one complete sample event.

I would need to understand if all the required fields are in single event. because you are using user_id field later.

————————————
If this helps, give a like below.
0 Karma
Reply

Matthew86
Explorer
‎08-07-2020 09:16 AM

Hi, 

Thanks for your reply.  The sample event contains a large amount of data and the company I work for would not be happy about me sharing this sensitive information. However, It might help if I elaborate.

unique user (User_ID=B123456) has multiple events containing the fields User_ID and Agent. For this user the User_ID field never changes. 

The events of a second unique user (User_ID=B654321) are completely unrelated to the first user (User_ID=B123456). Although they contain the same fields User_ID and Agent. 

Basically, the count of true and false for each row (User) should be independent of the other rows (Users). 

Hope this helps! 

Let me know if you have any other questions. 

Cheers! 

 

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...