Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group data, but keeping data to be grouped.

dreadangel
Path Finder
‎03-28-2019 07:03 AM

Hi all,

I got some data structured next: 

url    user     event
-------------------------------------
Url1, user1, EventType1
Url1, user1, EventType2
Url2, user1, EventType3
Url2, user1, EventType1
Url1, user2, EventType1
Url2, user2, EventType2
Url3, user2, EventType3
...

My goal is to build a statistics table:

    [Url],  [Total events count], [Distinct users count], [Top $x users + count list]
    Url1                       2                       2                     user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url2,                      3,                      1,                    user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url3,                      1,                      1,                    user2 - 1
    -----------------------------------------------------------------------------------

After using stats command in pipeline grouped data isn't available anymore, so is it possible "to add" statistics to the result or should I use multiple subsearches - each acquiting its goal and after joining them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:12 AM

It might be a bit ugly, but this query gives exactly the result you want...

<your_base_query> | stats count as "Total Events", dc(user) as "Distinct Users" by url | appendcols [<your_base_query> | stats count by url, user | eval user = user." - ".count | stats list(user) as "Users + count" by url]

In case you want a distinct event count an no total count, just swap the first stats count for a stats dc(events)

Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip...

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

Happy Splunking!
Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip upon eventstats - this indeed solves

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...