Solved: Count of Active users as well as Active bots

moohkhol · ‎04-24-2014

Dear Friends,

I am trying to stats count of Users and bots, separately,

sourcetype=access_combined | eval VSTR_TYPE =case( like(VSTR_GUID, "%%"),"ACTIVE_USER", VSTR_GUID="-","ACTIVE_BOT")| search VSTR_TYPE=* | stats dc(VSTR_IP) as COUNT by VSTR_TYPE

Here i am only getting VSTR_TYPE as ACTIVE_USER, I am not getting any count for ACTIVE_BOT, however i can see my log message are having event where VSTR_GUID="-", can please help me in that, where i am doing wrong or is there any better way of doing that, where i can get count of all unique VSTR_IP where VSTR_GUID is present and also i can get count of all unique VSTR_IP where VSTR_GUID is null ("-"). Your help will be appreciated.

martin_mueller · ‎04-24-2014

Try swapping the two parts of the case() expression. The like() should match when the GUID is "-", putting all bots as users.

View solution in original post

martin_mueller · ‎04-24-2014

Try swapping the two parts of the case() expression. The like() should match when the GUID is "-", putting all bots as users.

Count of Active users as well as Active bots

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases