Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to make a complex query on logs

holmla
New Member
‎02-13-2014 03:34 AM

The data I have can be condensed to rows of:
user: device: version:

( notation: 2x v1 = user with 2 devices, each with version: v1 )
A user can have any amount of devices, each having some version. What i would like to get is a count of how many users there are with each existing spread of versions, so that a user with 1x v1 is in a different category than a user with 1x v1 and 1x v2, A user can also have 2 devices with v1, and i would like those users separated as well.

for instance:
20 users with 1x v1
25 users with 1x v2
5 users with 2x v1
...
37 users with 2x v2 and 1x v3
39 users with 3x v2 and 1x v3
... and so on

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2014 04:21 AM

'... | stats count(user) by version | ...'

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

holmla
New Member
‎02-13-2014 04:26 AM

That gives me:
v1: n
v2: m
...
It doesn't tell me anything about how many users with combination of v1 AND v2 for instance

0 Karma
Reply

holmla
New Member
‎02-13-2014 03:57 AM

The captcha on editing a post seems to be broken, gave up after 40 or so attempts. Anyway,
The data I have can be condensed to rows of:
user:"This is used to differentiate users" device: "this is unique per device" version: this has four possible values: v1,v2,v3,v4"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...