In the index for siteminder called cams_prod, there are traced filed with the type smtrace. Using these trace files find the logs for the application using 'Center realm’. Then created a regular expression to mine the User id. You will notice that Userids are able to be found many times each minute. We need to fiter this so it only shows once per minute.
Hi,
to show only one Userid per minute, in your query use this function dc by this way:
...|stats dc(Userid) by ...
Or
...|timechart dc(Userid) by ...
Hi,
to show only one Userid per minute, in your query use this function dc by this way:
...|stats dc(Userid) by ...
Or
...|timechart dc(Userid) by ...
Hi Moiezuddin,
Thanks For the question,
I new to splunk, Trying to develop some sample siteminder dashboards as a poc,
Hope you have some Idea on the smaccess log and smps log,
Using Smps log, We are trying to develop some alerts for the performance monitoring of siteminder.
Can you please explain if you have done any in your environment.
Was It possible to create a table like total number users have accessed a particular application in 24 hours time period using azaccept and uid in smaccess.log
Thanks,
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count
With the above query, I noticed that USER_id are able to be found many times each minute.
I need to fiter this in such a way that it only needs to shows once per minute.
Kindly help
Ok guy,
Try this with the commande dedup:
...|stats dc(User_id) by ... | dedup USER_id sortby +_time
Or this with commande uniq:
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count |uniq
Thanks a lot , its working fine.
No mention. I'm here to help you solve your problems
Could you post some sample data, your current search, and a mock-up of your desired output please?
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count
With the above query, I noticed that USER_id are able to be found many times each minute.
I need to fiter this in such a way that it only needs to shows once per minute.
Kindly help