I have just started using Splunk and it is quite alien to me. Hope you guys can help me out! I have the following search setup:
User_ID=B123456
| streamstats current=f window=1 last(Agent) as Prev_Agent
| eval Agent_Change= if(Agent==Prev_Agent, "True", "False")
Table Agent, Agent_Change
Basically, it is evaluating if the value of the field Agent is equal to the previous value for each event of a specific User (User_ID=B123456) Currently, it looks like this:
Agent | Agent_Change
rgrg1 | True
rgrg1 | True
rgrg1 | False
ytyt4 | False
rgrg1 | True
rgrg1 | True
rgrg1 | True
I would like to count the total amount of True and False values for multiple Users (User_ID) and display it in a one table.
True False
B123456 | 55 | 76
B654321 | 22 | 82
B567890 | 87 | 99
B098765 | 12 | 33
Hope someone can help me out or at least point me in the right direction.
Much appreciated!
Matthew
can you share one complete sample event.
I would need to understand if all the required fields are in single event. because you are using user_id field later.
Hi,
Thanks for your reply. The sample event contains a large amount of data and the company I work for would not be happy about me sharing this sensitive information. However, It might help if I elaborate.
A unique user (User_ID=B123456) has multiple events containing the fields User_ID and Agent. For this user the User_ID field never changes.
The events of a second unique user (User_ID=B654321) are completely unrelated to the first user (User_ID=B123456). Although they contain the same fields User_ID and Agent.
Basically, the count of true and false for each row (User) should be independent of the other rows (Users).
Hope this helps!
Let me know if you have any other questions.
Cheers!