Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

separately calculated stats side by side in a table

hyddenlynx
Engager
‎10-14-2020 11:35 AM

I am building a table displayed in a splunk dashboard that needs a complicated query and I was hoping to get a quick pointer in the right direction.

Let's say I have a table of events at different levels per person.

idevent_idlevel_iduser_id
1111
2121
3112
4122
5132
6113

 

For these events, only the highest level event is relevant per person. How would I construct a query that shows the following stats, side by side:

1) the total number for each event at each level (3rd column below, I have this part) and 

2) the number of users at a specific event level (4th column below) this is basically the count of the highest level per event per person

The results I'm looking for would look like:

event_idlevel_idtotal_occuredtotal_users_at_level
1131
1221
1311

 

Any help would be greatly appreciated. Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2020 01:10 PM

Give this a try

your current query that returns fields:  id event_id level_id user_id
| eventstats count as total_occured by level_id
| stats last(event_id) as event_id last(level_id) as level_id last(total_occured) as total_occured by user_id
| stats values(total_occured) as total_occured dc(user_id) as total_users_at_level by event_id level_id

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2020 01:10 PM

Give this a try

your current query that returns fields:  id event_id level_id user_id
| eventstats count as total_occured by level_id
| stats last(event_id) as event_id last(level_id) as level_id last(total_occured) as total_occured by user_id
| stats values(total_occured) as total_occured dc(user_id) as total_users_at_level by event_id level_id
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...