Splunk Search

How can I chart pairs of values within the same field

HXCaine
Path Finder

I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc.

My current query looks like this:

sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs

However, the pairs look like this:

  • Windows-Windows
  • Mac-Mac
  • Linux-Linux

Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)?

Tags (1)
0 Karma
1 Solution

jonuwz
Influencer

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username

View solution in original post

jonuwz
Influencer

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...