Splunk Search

Query to return top ten users and the applications they connect to?

splunkn
Communicator

My events contain users and applications to which they connect to. I want a query to return top 10 users and the applications which they connect to? Also Is it possible to display it in a chart ?
I want top 10 users and then I just need what applications each user is connected to. Im missing something. Any ideas?
Thanks in advance

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Without knowing what your events look like, and not really understanding how you want the results presented, you could try one of the following - assuming the fields are called 'user' and 'application';

your_search | top user by application

which will give your the top 10 users for each application. Or - if there is more of a one-to-one relationship between users and applications, you could concatenate the two for presentation purposes;

your_search | eval user_app = user . application | top user_app

/K

View solution in original post

kristian_kolb
Ultra Champion

Without knowing what your events look like, and not really understanding how you want the results presented, you could try one of the following - assuming the fields are called 'user' and 'application';

your_search | top user by application

which will give your the top 10 users for each application. Or - if there is more of a one-to-one relationship between users and applications, you could concatenate the two for presentation purposes;

your_search | eval user_app = user . application | top user_app

/K

splunkn
Communicator

Im having users who are logged on to various applications like below.
User1 logged to app1
User1 logged to app2
USer2 logged to app1
User3 logged to app2 etc...
I want to take top 10 users and need to append what are the applications they logged in as below.
User Application Count
User1 app1 10
app2 5
User2 app1 4

User3 app2 4
I tried with the search as index=* sourcetype=* "login succeeded" [search index=* sourcetype=* "login succeeded" | top limit=10 user | fields user] | fields user,application_name | stats count by user,appplication_name.

0 Karma

strive
Influencer

Yes it is possible.

Are you facing any issues? Have you tried writing the searches?

You also need to post the log events for folks to help you

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...