- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to get a list of logins without a count or mul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is easy and hard to describe.
Let's say you have 250 users logging in during the course of the day (this question is posed for any type of event but this is easier).
Some are logging in more than others. All I want to do is a get a list of logins without a count or multiple entries.
So for instance, I try using the table command and it will say Jim Smith logged in without a count but 9 out of the ten entries in the table will be Jim Smith. I just want to see Jim Smith one time. That is it! I suspect this is amazingly easy to do but for the life of me I cannot figure it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways of skinning this proverbial cat a lot depends on the scale of data you're dealing with and what you're doing with this data afterwards.
A couple of options could use the stats command.
<base search> | stats count by user
would give you a single row per user, and the count of events where user has a particular value. if you don't care about count, you could get rid of it using fields:
<base search> | stats count by user | fields - count
Alternatively you could use the value stats function:
<base search> | stats values(user) as users
Which returns a single record, with multiple values, one per each unique user. Which could be expanded to multiple records with one value per record with the mvexpand command.
<base search> | stats values(user) as user | mvexpand user
Now stats gets rid of the actual events, a bit more costly execution wise, you could use dedup to keep a single event per user
<base search> | dedup user
Hopefully this gives you a number of options, one or more of which you may want to try... and this doesn't even get into chart and timechart for when you want that information not in isolation but against other variables...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right after I posted the question I remembered dedup!
Always happens....
Appreciate your assistance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways of skinning this proverbial cat a lot depends on the scale of data you're dealing with and what you're doing with this data afterwards.
A couple of options could use the stats command.
<base search> | stats count by user
would give you a single row per user, and the count of events where user has a particular value. if you don't care about count, you could get rid of it using fields:
<base search> | stats count by user | fields - count
Alternatively you could use the value stats function:
<base search> | stats values(user) as users
Which returns a single record, with multiple values, one per each unique user. Which could be expanded to multiple records with one value per record with the mvexpand command.
<base search> | stats values(user) as user | mvexpand user
Now stats gets rid of the actual events, a bit more costly execution wise, you could use dedup to keep a single event per user
<base search> | dedup user
Hopefully this gives you a number of options, one or more of which you may want to try... and this doesn't even get into chart and timechart for when you want that information not in isolation but against other variables...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
