topic Re: Unique users logging in each day chart / search in Splunk Search

Unique users logging in each day chart / search

tylermonteith — Mon, 25 Mar 2024 16:07:40 GMT

I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something.

Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search.

Search queries trialed:

EventCode=4624 user=* stats count by user | stats dc(user) EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user

So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span.

Am I close?

Any help would be appreciated!

Re: Unique users logging in each day chart / search

richgalloway — Mon, 25 Mar 2024 16:13:32 GMT

The distinct_count (dc) function will give the unique values of a field.

ErrorCode=4624 user!="*$" | timechart span=1d dc(user) as "Unique Users"

Re: Unique users logging in each day chart / search

tylermonteith — Mon, 25 Mar 2024 20:00:29 GMT

Thank you! If I could ask one more question I'm now wanting to filter that out a bit.

So when looking that up I'm told to do | where user!="SYSTEM" or something like that

EventCode=4624 user!="*$" | timechart span=1d dc(user) as "Unique Users" | where user!="SYSTEM"

So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values?

example:
| where user!="SYSTEM","Administrator","Guest", etc?

Re: Unique users logging in each day chart / search

richgalloway — Mon, 25 Mar 2024 19:41:27 GMT

Best Practice is to filter out events as early as possible, preferably before the first pipe. Multiple filters can be combined with (implicit) AND. Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest) | timechart span=1d dc(user) as "Unique Users"

Re: Unique users logging in each day chart / search

tylermonteith — Mon, 25 Mar 2024 19:43:18 GMT

Can I use wildcard values in the IN command?

user IN (System Administrator Guest admin*) So basically omit any user that starts with the word admin?

Re: Unique users logging in each day chart / search

PickleRick — Mon, 25 Mar 2024 20:10:55 GMT

Try and see. Good thing about Splunk search is that it's hard to break something just by searching. 🙂

And yes, you can use wildcards with IN operator.