- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a list of unique users in a search ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my first time using splunk and I have 2 questions. First of all, say I have when I enter a certain search (" Login succeeded for user: ") I get the following 4 values.
- Login succeeded for user: a1b2
- Login succeeded for user: c3d4
- Login succeeded for user: e5f6
- Login succeeded for user: a1b2
Is there a way that I can modify this query so that I can get a list of unique users (e.g. a1b2, c3d4, e5f6)? Essentially, as soon as the log finds one user, I want it to discard any other result that comes back with the same user. I do not have access to the props file and so I don't think that I can modify indexes on a permanent basis.
Secondly, is there a way that I can take 2 related queries (index=spss " Login succeeded for user: ") and (index=spss " Login failed for user: ") and get a count of how many times each one has occurred in the timeframe (e.g. 24 hours)? I'd like to be able to put those two numbers next to each other in a graph or table.
Thanks in advance! I look forward to using this tool (platform?)
I am running splunk 5.0.9
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you need to extract usernames into a field, lets say "USER" after which you can achieve the statistics you want
index=spss " Login succeeded for user: " | rex "(?i)user: (?P<USER>.*)"
Unique List of users
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | dedup USER | table USER
Number of occurrences of each user within 24hrs
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | stats count by USER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you need to extract usernames into a field, lets say "USER" after which you can achieve the statistics you want
index=spss " Login succeeded for user: " | rex "(?i)user: (?P<USER>.*)"
Unique List of users
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | dedup USER | table USER
Number of occurrences of each user within 24hrs
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | stats count by USER
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
