Solved: Re: count on 2 fields

sgsplunk78 · ‎10-21-2013

Hello,

The command Who returns me the log :
USERNAME LINE HOSTNAME TIME root pts/1 PC1.domain.com Oct 21 14:17 root pts/2 PC2.domain.com Oct 21 14:17 USER3 pts/4 PC3.domain.com Oct 17 17:19

host = HOSTA source = who sourcetype = who

I would like to know who is connecting to my servers and from which terminal. I use the command : index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by HOSTNAME, host.
Result =

HOSTNAME ↧ HOSTA↕

PC1.domain.com 48

PC2.domain.com 4

PC3.domain.com 2

But there is not the column USERNAME. I would like, a colum : Hostname,a column : Username, and the column : Host containing the count as it's done at the moment. It will be very cool if I could have the last day the couple USERNAME/Hostname has been seen.

Thanks for your help,

Regards,

lukejadamec · ‎10-21-2013

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host

View solution in original post

lukejadamec · ‎10-21-2013

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host

sgsplunk78 · ‎10-21-2013

YES!!!!
Thanks a lot

aholzer · ‎10-21-2013

do stats instead of chart

sgsplunk78 · ‎10-21-2013

Yes,
but it returns me :
Error in 'chart' command: The argument 'host' is invalid.

It seems that if I put more than 2 fields after "chart count by", an error occurs....

Thanks,

count on 2 fields

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability