Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Sort the "count by..." results

arkonner
Path Finder
‎04-15-2016 02:03 AM

I am using the search below for the locked out accounts - Should be possible to sort the result by the user with high number

Thank you in advance

`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-15-2016 02:06 AM

Do you need the timechart or a simple table would do the job?
If so:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| top limit=0 Locked_Account

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-15-2016 02:06 AM

Do you need the timechart or a simple table would do the job?
If so:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| top limit=0 Locked_Account
0 Karma
Reply
Solved! Jump to solution

arkonner
Path Finder
‎04-15-2016 04:45 AM

Hi,

I need a Timechart with the User legend sorted by user with highest number of locked-out instead of legend sort in alphabetic order.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-15-2016 05:43 AM

That is a bit more complicated mainly because you don't have the totals per user and time in the same table.

The following might give you the best of both worlds:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| timechart count by Locked_Account
| untable _time Locked_Account count
| eventstats sum(count) as total_count by Locked_Account
| xyseries _time Locked_Account count total_count

Let me know if that helps

0 Karma
Reply
Solved! Jump to solution

arkonner
Path Finder
‎04-18-2016 07:28 AM

your search duplicate the results as "count" and "total_count" reporting and the user list is empty

Using the search below whit a "line chart" the Legend is in alphabetic order - I am looking to sort the legend from the user with the highest number of locked-out events. 

 `windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...