Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I chart pairs of values within the same field

HXCaine
Path Finder
‎08-31-2012 10:35 AM

I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc.

My current query looks like this:

sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs

However, the pairs look like this:

  • Windows-Windows
  • Mac-Mac
  • Linux-Linux

Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 12:23 PM

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username

View solution in original post

Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 12:23 PM

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...