Re: How can I edit my search to chart relationship...

jlkokko · ‎05-13-2016

I have a simple search parsing project activity logs to pull a list of projects and people working on those projects:

index="main" | dedup Author Proj_repo | stats list(Proj_repo) AS Project by Author

This successfully returns a list of Authors and list of their projects. What kind of function(s) could I use to chart the relationships between authors? Something showing the Authors and how they're linked to the other Authors across projects.

woodcock · ‎05-15-2016

Here are some:

index="main" | rename Proj_repo AS Project
| eventstats count AS updates BY Author Project
| eval updatesThisAuthor  = Project . ":" . updates
| eval updatesThisProject = Author  . ":" . updates
| multireport
   [ stats values(Project) dc(Project) values(updatesThisAuthor)  BY Author ]
   [ stats values(Author)  dc(Author)  values(updatesThisProject) BY Project ]

jlkokko · ‎05-16-2016

Ty for the pointer - One step forward 🙂

Here's a sample of the output columns I get:

Author   Project   dc(Author)   dc(Project)   values(Author)   values(Project)

I get values under Author, dc(Project) and values(Project). All other columns are empty.

jlkokko · ‎05-16-2016

just noticed if I switch the stats func under mutli report I can get a value for dc(Author) so that gives me an additional value needed...

woodcock · ‎05-19-2016

I had a typo and used count instead of updates. I edited the original answer to fix. Try it now.

How can I edit my search to chart relationships between values for a certain field in my data?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?