This is my first time using splunk and I have 2 questions. First of all, say I have when I enter a certain search (" Login succeeded for user: ") I get the following 4 values.
Is there a way that I can modify this query so that I can get a list of unique users (e.g. a1b2, c3d4, e5f6)? Essentially, as soon as the log finds one user, I want it to discard any other result that comes back with the same user. I do not have access to the props file and so I don't think that I can modify indexes on a permanent basis.
Secondly, is there a way that I can take 2 related queries (index=spss " Login succeeded for user: ") and (index=spss " Login failed for user: ") and get a count of how many times each one has occurred in the timeframe (e.g. 24 hours)? I'd like to be able to put those two numbers next to each other in a graph or table.
Thanks in advance! I look forward to using this tool (platform?)
I am running splunk 5.0.9
First, you need to extract usernames into a field, lets say "USER" after which you can achieve the statistics you want
index=spss " Login succeeded for user: " | rex "(?i)user: (?P<USER>.*)"
Unique List of users
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | dedup USER | table USER
Number of occurrences of each user within 24hrs
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | stats count by USER
First, you need to extract usernames into a field, lets say "USER" after which you can achieve the statistics you want
index=spss " Login succeeded for user: " | rex "(?i)user: (?P<USER>.*)"
Unique List of users
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | dedup USER | table USER
Number of occurrences of each user within 24hrs
index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | stats count by USER