Solved: Stats count from different sources

gnoellbn · ‎08-02-2013

Hello,

I'm trying to show login stats from different sources by user. Those two sources d'on't show user with the same field (Nom_de_l_utilisateur and user).

This search shows "No results". If I display either one or the other it works but not both at the same time.

(source="WinEventLog:Security" "CategoryString=Ouverture/fermeture" "Type=Failure" Type="Failure Audit") OR (source=udp:514 eventtype="failed_login") | regex host!="[QqZzVv][0-9].*" | search NOT "FortiService" | stats count by Nom_de_l_utilisateur,user

Thanks in advance 🙂

jonuwz · ‎08-02-2013

replace :

stats count by Nom_de_l_utilisateur,user

with :

eval user=coalesce(Nom_de_l_utilisateur,user) | stats count by user

This sets user to the 1st non-null value of Nom_de_l_utilisateur or user.

The trick is to get the data you need in 1 field.

View solution in original post

jonuwz · ‎08-02-2013

replace :

stats count by Nom_de_l_utilisateur,user

with :

eval user=coalesce(Nom_de_l_utilisateur,user) | stats count by user

This sets user to the 1st non-null value of Nom_de_l_utilisateur or user.

The trick is to get the data you need in 1 field.

Stats count from different sources

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes