Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter unique logins over specific time spans?

zsizemore
Path Finder
‎06-22-2016 10:28 AM

I couldn't exactly figure out how to phrase my question..

I'm working with data of users logging into a service from different places all around the world. What I'm trying to do is categorize and display the logins as very short term (all accesses w/in 24 hours), short term (all accesses w/in 7 days), and long term or repeat visitor (accesses over a more than 7 day period).

I'm new to Splunk so my starting point is 

| stats dc(User) as usercount count by IP_address 
| sort 0 -count 
| head 100
| iplocation IP_address
| table Country Region City usercount count 
| where isnotnull( City )

Any help or guidance would be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-22-2016 11:39 AM

See if this gives you any ideas...

... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-22-2016 11:39 AM

See if this gives you any ideas...

... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |
0 Karma
Reply
Solved! Jump to solution

zsizemore
Path Finder
‎06-22-2016 12:57 PM

Thanks for the quick response -- I tried that code and got an "Error in 'stats command: The argument 'login' is invalid."

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-22-2016 01:06 PM

There's first_login and last_login, there's not login. Can you post your search

0 Karma
Reply
Solved! Jump to solution

zsizemore
Path Finder
‎06-22-2016 01:12 PM

I was able to get it to run but there was no results found under Statistics so I'm not sure what went wrong.

Edit: I had to change the capitalization for some of the variables but i'm getting results now!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-22-2016 02:41 PM

Great! Please accept the answer to close it out.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...