Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my search to show users who have visited both category="Entertainment" and category="Business"?

ivar9692
Explorer
‎10-05-2016 03:24 AM

I'm using following search but it's not working:

index=proxy_logs  category="Entertainment"  category="Business" | stats ..

This search is not giving results but in logs I have users who visited sites with both categories.

Like a user visited site1 with category="Entertainment" and while further surfing, he visited another site2 category="Business".
I need to find such users.

If using this search: 

index=bluecoat  category="Translation" OR category="Pornography"

it is giving results. But in those results, I have users who accessed either one of them not both of them.

Please tell me if you need more information.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

govindsinghrawa
Path Finder
‎10-06-2016 12:02 AM

try this if your user name field is say "userName":

index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎10-23-2016 08:25 PM

Hi @ivar9692 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Thanks!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 12:36 AM

Please check this one - 

 index=proxy_logs  category="Entertainment"  [ search index=proxy_logs category="Business" | table UserNames ] | stats ..
0 Karma
Reply
Solved! Jump to solution
Solution

govindsinghrawa
Path Finder
‎10-06-2016 12:02 AM

try this if your user name field is say "userName":

index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-05-2016 11:29 PM

Try like this. Replace PutYourUserFieldHere with the field that you want to use for user

index=bluecoat  category="Translation" OR category="Pornography"  | stats values(category) as category by PutYourUserFieldHere | where mvcount(category)=2
0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-05-2016 05:43 PM

I don't have the answer, but the problem with your first search is that it is looking for single events that contain both categories at the same time, which is not possible with single value fields.
Fear not, I'm sure someone will show you how to use your search and sort them out by user so that only users that did both in different events are listed.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...