Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my search to show users who have visited both category="Entertainment" and category="Business"?

ivar9692
Explorer
‎10-05-2016 03:24 AM

I'm using following search but it's not working:

index=proxy_logs  category="Entertainment"  category="Business" | stats ..

This search is not giving results but in logs I have users who visited sites with both categories.

Like a user visited site1 with category="Entertainment" and while further surfing, he visited another site2 category="Business".
I need to find such users.

If using this search: 

index=bluecoat  category="Translation" OR category="Pornography"

it is giving results. But in those results, I have users who accessed either one of them not both of them.

Please tell me if you need more information.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

govindsinghrawa
Path Finder
‎10-06-2016 12:02 AM

try this if your user name field is say "userName":

index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎10-23-2016 08:25 PM

Hi @ivar9692 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Thanks!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 12:36 AM

Please check this one - 

 index=proxy_logs  category="Entertainment"  [ search index=proxy_logs category="Business" | table UserNames ] | stats ..
0 Karma
Reply
Solved! Jump to solution
Solution

govindsinghrawa
Path Finder
‎10-06-2016 12:02 AM

try this if your user name field is say "userName":

index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-05-2016 11:29 PM

Try like this. Replace PutYourUserFieldHere with the field that you want to use for user

index=bluecoat  category="Translation" OR category="Pornography"  | stats values(category) as category by PutYourUserFieldHere | where mvcount(category)=2
0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-05-2016 05:43 PM

I don't have the answer, but the problem with your first search is that it is looking for single events that contain both categories at the same time, which is not possible with single value fields.
Fear not, I'm sure someone will show you how to use your search and sort them out by user so that only users that did both in different events are listed.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...