Hi All and thanks in advance,
I am currently using Splunk to grab a server's security logs. I would like to run a search to find out the unique users who log in a month or during a given time. Ideally I would be able to get the username of the user. Is this possible? All I can see from research is that I will need to use the distinct count function(DC).
If you have any questions please let me know. I am grateful for all advice given.
Thanks,
SG
You can do something like:
<search> | stats count by username
Or:
<search> | dedup username | table username
Neither commands seemed to show up anything. I have now got up to host="DC01-DEV" Account_Name="*" this seems to show up all the ones but you then have to expand each one to show account name. Also this is not unique account names. How would I make it so it purely lists the users and I do not have to expand this?
Thanks,
SG