Count of values by sourcetype

mpuckettsc · ‎04-27-2017

This should be pretty simple, but I seem to lack the right terms to find my answer:

We have several source types with a field "user". All I would like to return is a table where users are the rows, sourcetypes are the columns and the values are the number of events a user appears in that source type.

So if it were a CSV, it'd look like

user,firewall-logs,linux-logs,windows-logs
bob,4,2,4
nancy,8,1,3
eve,0,4,2

A totals column at the end would be great, but I can live with out it.

mpuckettsc · ‎04-27-2017

I found what I was looking for,

(search) | chart count over user by sourcetype

Thanks!

DalJeanis · ‎04-27-2017

| addtotals

niketn · ‎04-27-2017

@mpuckettsc... Please accept DalJeanis answer as that is the complete answer you were looking for, addtotals will add Total of numeric fields as final column.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎04-27-2017

Please try the following:

<Your Base Search>
| chart count over user by sourcetype

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis · ‎04-27-2017

| makeresults
| eval mydata="Bob,firewall-logs,4 Bob,linux-logs,2 Bob,windows-logs,4 Nancy,firewall-logs,8 Nancy,linux-logs,1 Nancy,windows-logs,3 Eve,linux-logs,4 Eve,windows-logs,2"
| makemv mydata 
| mvexpand mydata
| rex field=mydata "(?[^,]+),(?[^,]+),(?.+)"
| table user sourcetype thecount
| rename COMMENT as "The above just produces test data as if you had done |stats count as thecount by user sourcetype" 

| chart sum(thecount) as count over user by sourcetype
| addtotals

Count of values by sourcetype

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!