- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter the Userid to show once per minute?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the index for siteminder called cams_prod, there are traced filed with the type smtrace. Using these trace files find the logs for the application using 'Center realm’. Then created a regular expression to mine the User id. You will notice that Userids are able to be found many times each minute. We need to fiter this so it only shows once per minute.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
to show only one Userid per minute, in your query use this function dc by this way:
...|stats dc(Userid) by ...
Or
...|timechart dc(Userid) by ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
to show only one Userid per minute, in your query use this function dc by this way:
...|stats dc(Userid) by ...
Or
...|timechart dc(Userid) by ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Moiezuddin,
Thanks For the question,
I new to splunk, Trying to develop some sample siteminder dashboards as a poc,
Hope you have some Idea on the smaccess log and smps log,
Using Smps log, We are trying to develop some alerts for the performance monitoring of siteminder.
Can you please explain if you have done any in your environment.
Was It possible to create a table like total number users have accessed a particular application in 24 hours time period using azaccept and uid in smaccess.log
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count
With the above query, I noticed that USER_id are able to be found many times each minute.
I need to fiter this in such a way that it only needs to shows once per minute.
Kindly help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok guy,
Try this with the commande dedup:
...|stats dc(User_id) by ... | dedup USER_id sortby +_time
Or this with commande uniq:
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count |uniq
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot , its working fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No mention. I'm here to help you solve your problems
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post some sample data, your current search, and a mock-up of your desired output please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count
With the above query, I noticed that USER_id are able to be found many times each minute.
I need to fiter this in such a way that it only needs to shows once per minute.
Kindly help
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
