Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group data, but keeping data to be grouped.

dreadangel
Path Finder
‎03-28-2019 07:03 AM

Hi all,

I got some data structured next: 

url    user     event
-------------------------------------
Url1, user1, EventType1
Url1, user1, EventType2
Url2, user1, EventType3
Url2, user1, EventType1
Url1, user2, EventType1
Url2, user2, EventType2
Url3, user2, EventType3
...

My goal is to build a statistics table:

    [Url],  [Total events count], [Distinct users count], [Top $x users + count list]
    Url1                       2                       2                     user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url2,                      3,                      1,                    user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url3,                      1,                      1,                    user2 - 1
    -----------------------------------------------------------------------------------

After using stats command in pipeline grouped data isn't available anymore, so is it possible "to add" statistics to the result or should I use multiple subsearches - each acquiting its goal and after joining them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:12 AM

It might be a bit ugly, but this query gives exactly the result you want...

<your_base_query> | stats count as "Total Events", dc(user) as "Distinct Users" by url | appendcols [<your_base_query> | stats count by url, user | eval user = user." - ".count | stats list(user) as "Users + count" by url]

In case you want a distinct event count an no total count, just swap the first stats count for a stats dc(events)

Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip...

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip upon eventstats - this indeed solves

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...