Solved: List of users sharing files

fuzzy_rocks · ‎01-12-2014

I am looking to get a list of unique users who share files. The logs have an entry when a file is accessed with the FileID and the UserID. Doing something like .....| stats dc(UserID) AS UserCount by FileID | where UserCount>1 gives me the number of files that are shared (more than 1 user accessed it), but I don't quite know how to extract the list of distinct UserIDs from that list. I've tried chart, but with a large number of users (>10,000) it produces a huge number of columns and seems to crash. i'm really just after the count of unique UserIDs, so if there is a way to produce just that number and avoid a huge table output that would be very helpful. Thanks!

Ayn · ‎01-12-2014

The stats command values() does this.

... | stats dc(UserID) AS UserCount, values(UserID) as UniqueUsers by FileID | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

View solution in original post

Ayn · ‎01-12-2014

The stats command values() does this.

... | stats dc(UserID) AS UserCount, values(UserID) as UniqueUsers by FileID | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

fuzzy_rocks · ‎01-13-2014

Thanks - exactly what I was looking for!

List of users sharing files

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life