Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

group by field values

Splunkster45
Communicator
‎09-18-2014 06:39 AM

Hi! I'm a new user and have begun using this awesome tool. I've got a question about how to group things, below.
Suppose I have a log file that has 2 options for the field host: host-a, host-b and 2 different users. The users are turned into a field by using the rex filed=_raw command.

This command will tells how many times each user has logged on:

index=spss earliest=-25h  "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user

This command will tells how many times each user has logged into each server

index=spss earliest=-25h  "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count by user host

It gives an output that looks something like the following:

user..........host..........count

user1........host-a..........2

user2........host-b..........5

user2........host-a..........3

How can I modify the post to get a unique list of how many people have logged onto each host e.g.

host..........count

host-a............2

host-b............1

I essentially want to group by user, but am not sure of how to do that. Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-18-2014 06:43 AM

Welcome Splunkster45,

try this:

index=spss earliest=-25h  "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count(user) AS count by host

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-18-2014 06:43 AM

Welcome Splunkster45,

try this:

index=spss earliest=-25h  "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?.*)" | stats count(user) AS count by host

hope this helps ...

cheers, MuS

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...