Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create a table with one column will display some items on one field and another column to display all other items from the same field

d4rk_sp1d3r
Loves-to-Learn Lots
‎01-20-2020 03:45 AM

I have firewall logs where the field "user" has multiple user id's including guest and unknown. I need to count all the events with user guest and unknown then create a table where one column will provide the result, name the column as unauthenticated . The other column should display all other users with the field name authenticated. Each row should also display the firewall name.

the table should display like this.
firewall |authenticated|unauthenticated
firewall1 | 100 | 35
firewall2 | 75 | 20
firewall3 | 65 |11

right now i can do this by doing 2 searches but it is displayed on 2 tables

ex. index=fw sourcetype=auth user=unknown AND user=guest | stats count by firewall
index=fw sourcetype=auth user!=unknown AND user!=guest | stats count by firewall

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-20-2020 09:25 AM

Try like this

 index=fw sourcetype=auth | eval type=if(user="unknown" OR user="guest", "unauthenticated", "authenticated") | chart count by firewall type

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-20-2020 09:25 AM

Try like this

 index=fw sourcetype=auth | eval type=if(user="unknown" OR user="guest", "unauthenticated", "authenticated") | chart count by firewall type
0 Karma
Reply
Solved! Jump to solution

d4rk_sp1d3r
Loves-to-Learn Lots
‎01-20-2020 07:04 PM

this worked for me. thanks alot!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2020 05:55 AM

The first query might have a typo in it. It's not possible for the 'user' field to be both "unknown" and "guest" at the same time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

d4rk_sp1d3r
Loves-to-Learn Lots
‎01-20-2020 07:03 PM

that's not exactly the search i used so the spelling is not a concern. just want everyone to understand the question. the field user has different user id's in it. guest, unknown, user1, user2, so on and so fourth.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...