https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613129#M213085 <P>I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session.&nbsp;</P> <P>For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=foo sourcetype=bar | table sm_user_dn, sm_agentname</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This is pretty basic, and shows me all the user name/app combinations that have been reported in the events.&nbsp;</P> <P>At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?</P> Wed, 14 Sep 2022 17:21:08 GMT beetlegeuse 2022-09-14T17:21:08Z https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613129#M213085 <P>I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session.&nbsp;</P> <P>For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=foo sourcetype=bar | table sm_user_dn, sm_agentname</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This is pretty basic, and shows me all the user name/app combinations that have been reported in the events.&nbsp;</P> <P>At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?</P> Wed, 14 Sep 2022 17:21:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613129#M213085 beetlegeuse 2022-09-14T17:21:08Z https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613131#M213086 <P>Hi</P><P>you can try this</P><LI-CODE lang="markup">index=foo sourcetype=bar | stats dc(sm_agentname) as appsCount by sm_user_dn | where appsCount &lt; 10</LI-CODE><P>r. Ismo&nbsp;</P> Wed, 14 Sep 2022 17:34:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613131#M213086 isoutamo 2022-09-14T17:34:17Z https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613133#M213087 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;! One additional ask: What would be added to count the number of users that meet the "less than 10" criteria? Does the number returned in the "Statistics" tab header reflect that?&nbsp;</P> Wed, 14 Sep 2022 17:58:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613133#M213087 beetlegeuse 2022-09-14T17:58:49Z https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613593#M213255 <P>Thank you...this did the trick!</P> Mon, 19 Sep 2022 12:06:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-number-of-applications-associated-with-a-given-user/m-p/613593#M213255 beetlegeuse 2022-09-19T12:06:44Z