Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dedup results in a table and count them

ndcl
Path Finder
‎08-20-2013 05:23 AM

Hi Base,

I just want to create a table from logon events on several servers grouped by computer. So the normal approach is: … | stats list(User) by Computer. Ok, this gives me a list with all the user per computer. But if a user logged on several times in the selected time range I will also get multiple entries of this user. This do not look nice. I want to dedup the user and add a column with the count of occurrence. Like:

Comp1 user1 3

...........user2 6

...........user3 9

Comp2 user1 1

...........user4 5

and so on.

So. All keywords are in that question (dedup and count) but:
Dedup leaves only one user entry. All others on other computer are gone and count only counts all users.

A search like this: stats count(User) by ComputerName, User will count the user but list the computer every time.

I think this is not very difficult but I didn´t get it. Someone with a hint here?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎08-20-2013 05:31 AM

Hi,
Could we try this?

...|stats count AS Logins by User,Server|stats list(User)as Users,list(Logins)as "Login Count" by Server

I think this will give you the unique combination with number of counts.

Thanks

View solution in original post

Reply
Solved! Jump to solution

fbl_itcs
Path Finder
‎11-18-2013 01:02 AM

Hi, it's been a while but maybe the answer is still needed:

... | stats values(User) by Computer

will give you a deduped list of the user.

Another approach would be to do a dedup. You can dedup more then one field, so:

... | dedup User, Computer | ...

will give you any combination of those two fields, but only onces.

Kind regards,
Felix

Reply
Solved! Jump to solution

amit_saxena
Communicator
‎08-20-2013 05:34 AM

Hi,

How about using "dedup ComputerName, User" ?

Regards,
Amit Saxena

0 Karma
Reply
Solved! Jump to solution

ndcl
Path Finder
‎08-20-2013 05:49 AM

yep, and this is Prob 1. Dedup will remover every more occurrence of user than 1 but the user can logon several times and on several computers and I want to keep them.

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎08-20-2013 05:31 AM

Hi,
Could we try this?

...|stats count AS Logins by User,Server|stats list(User)as Users,list(Logins)as "Login Count" by Server

I think this will give you the unique combination with number of counts.

Thanks

Reply
Solved! Jump to solution

ndcl
Path Finder
‎09-04-2013 06:03 AM

Hey,
this works and looks pritty nice!!!

Thanks!!!

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎08-20-2013 07:17 AM

Made a change, Could you check and let me know if it's useful? Haven't tried it myself actually.

0 Karma
Reply
Solved! Jump to solution

ndcl
Path Finder
‎08-20-2013 05:45 AM

yep, this discribes prob 2. I have all counts of user but also the computername for every user but I want to group them by computer.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...