Solved: How to edit my search to create a table with the d...

DEAD_BEEF · ‎01-20-2016

I am trying to create a table that shows the number of distinct users that have logged into a machine. I am having problems getting the domain to appear next to the distinct user count.

Current search& output
index=logs event=logon | dc(username) AS UserCount

UserCount
106

DESIRED Output

Domain            UserCount
GUEST                 20
INTERNAL              72
EXTERNAL              4
WIRELESS              10

I tried various permutations of stats count by, table, and sum, but I just can't seem to figure it out.

s2_splunk · ‎01-20-2016

Does index=logs event=logon | stats dc(username) AS UserCount by Domain not give you what you want?

View solution in original post

s2_splunk · ‎01-20-2016

Does index=logs event=logon | stats dc(username) AS UserCount by Domain not give you what you want?

DEAD_BEEF · ‎01-20-2016

Yea... that's exactly what I needed. Can't believe I overlooked something so simple, I was waaaay over-thinking it. Thank you.

How to edit my search to create a table with the distinct count of users by domain?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms