Splunk Search

Count of Active users as well as Active bots

moohkhol
New Member

Dear Friends,

I am trying to stats count of Users and bots, separately,

sourcetype=access_combined | eval VSTR_TYPE =case( like(VSTR_GUID, "%%"),"ACTIVE_USER", VSTR_GUID="-","ACTIVE_BOT")| search VSTR_TYPE=* | stats dc(VSTR_IP) as COUNT by VSTR_TYPE  

Here i am only getting VSTR_TYPE as ACTIVE_USER, I am not getting any count for ACTIVE_BOT, however i can see my log message are having event where VSTR_GUID="-", can please help me in that, where i am doing wrong or is there any better way of doing that, where i can get count of all unique VSTR_IP where VSTR_GUID is present and also i can get count of all unique VSTR_IP where VSTR_GUID is null ("-"). Your help will be appreciated.

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try swapping the two parts of the case() expression. The like() should match when the GUID is "-", putting all bots as users.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Try swapping the two parts of the case() expression. The like() should match when the GUID is "-", putting all bots as users.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...