×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
hyleung
New Member
Member since: ‎07-09-2019
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-09-2019
View All

How to count Stats by two Fields in one search

by in Splunk Enterprise Security
‎07-09-2019 06:59 PM
‎07-09-2019 06:59 PM
I have tired the following commands to retrieve the results, but it fails. |from datamodel:"Authentication"."Failed _Authentication" | stats values(user) count by (action=failure), src | sort -count or |from datamodel:"Authentication"."Failed _Authentication" | stats values(user) values(src) count by (action=failure) | sort -count And I want to achieve the following results. +-------+--------+-------+ | User | src | count | +-------+--------+-------+ | Mary | IT1001 | 10 | +-------+--------+-------+ | Mary | IT1002 | 6 | +-------+--------+-------+ | Peter | IT2002 | 9 | +-------+--------+-------+ | Alan | IT3003 | 8 | +-------+--------+-------+ Please help me. Thanks. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM