- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I chart pairs of values within the same fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc.
My current query looks like this:
sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs
However, the pairs look like this:
- Windows-Windows
- Mac-Mac
- Linux-Linux
Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)
You probably want to do something like
sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user
This groups all the different values of machine_type for the users.
It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'
This might be all you need though :
sourcetype="usermachines" | stats values(machine_type) as machine_types by username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)
You probably want to do something like
sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user
This groups all the different values of machine_type for the users.
It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'
This might be all you need though :
sourcetype="usermachines" | stats values(machine_type) as machine_types by username
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
