Re: how to make a complex query on logs

holmla · ‎02-13-2014

The data I have can be condensed to rows of:
user: device: version:

( notation: 2x v1 = user with 2 devices, each with version: v1 )
A user can have any amount of devices, each having some version. What i would like to get is a count of how many users there are with each existing spread of versions, so that a user with 1x v1 is in a different category than a user with 1x v1 and 1x v2, A user can also have 2 devices with v1, and i would like those users separated as well.

for instance:
20 users with 1x v1
25 users with 1x v2
5 users with 2x v1
...
37 users with 2x v2 and 1x v3
39 users with 3x v2 and 1x v3
... and so on

richgalloway · ‎02-13-2014

'... | stats count(user) by version | ...'

---
If this reply helps you, Karma would be appreciated.

holmla · ‎02-13-2014

That gives me:
v1: n
v2: m
...
It doesn't tell me anything about how many users with combination of v1 AND v2 for instance

holmla · ‎02-13-2014

The captcha on editing a post seems to be broken, gave up after 40 or so attempts. Anyway,
The data I have can be condensed to rows of:
user:"This is used to differentiate users" device: "this is unique per device" version: this has four possible values: v1,v2,v3,v4"

how to make a complex query on logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases