Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Table with true and false (column) counts for specific users (rows)

Matthew86
Explorer
‎08-07-2020 07:10 AM
Hi there, 
 

I have just started using Splunk and it is quite alien to me. Hope you guys can help me out! I have the following search setup: 

 

User_ID=B123456 

| streamstats current=f window=1 last(Agent) as Prev_Agent

| eval Agent_Change= if(Agent==Prev_Agent, "True", "False")

Table Agent, Agent_Change

 

Basically, it is evaluating if the value of the field Agent is equal to the previous value for each event of a specific User (User_ID=B123456) Currently, it looks like this: 

 

Agent         |           Agent_Change

rgrg1          |           True 

rgrg1          |           True 

rgrg1          |           False 

ytyt4          |           False 

rgrg1          |           True 

rgrg1          |           True 

rgrg1          |           True 

 

I would like to count the total amount of True and False values for multiple Users (User_ID) and display it in a one table. 

 

                                        True                  False

B123456         |           55          |          76

B654321         |           22          |          82

B567890         |           87          |          99

B098765         |          12           |          33

 

Hope someone can help me out or at least point me in the right direction.

Much appreciated! 

Matthew

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:19 AM

can you share one complete sample event.

I would need to understand if all the required fields are in single event. because you are using user_id field later.

————————————
If this helps, give a like below.
0 Karma
Reply

Matthew86
Explorer
‎08-07-2020 09:16 AM

Hi, 

Thanks for your reply.  The sample event contains a large amount of data and the company I work for would not be happy about me sharing this sensitive information. However, It might help if I elaborate.

unique user (User_ID=B123456) has multiple events containing the fields User_ID and Agent. For this user the User_ID field never changes. 

The events of a second unique user (User_ID=B654321) are completely unrelated to the first user (User_ID=B123456). Although they contain the same fields User_ID and Agent. 

Basically, the count of true and false for each row (User) should be independent of the other rows (Users). 

Hope this helps! 

Let me know if you have any other questions. 

Cheers! 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...