Dashboards & Visualizations

How to use stats to get sum of unique ids , lists of user and Total count logged.

shalinibisht
Explorer

Hi,

My filter here is , Which shows the list of unique users with the no of times es they have logged into the system/server as success response.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by “userId” | sort  - count

The result is attached screen shot.

My requirement is to get the data for total no of distinct users count to, I can fetch it by dc or distinct_count(userId) by how can I get all three data in the same page. The list of users, the sum of users and no of times they logged in as count.list.png

Labels (1)
0 Karma
1 Solution

manjunathmeti
Champion

hi @shalinibisht,

You can use eventstats to get the total number of users.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count(userId) as "Total Number of Users"

Tip: Always use index name(s) instead of * for the index query for better performance.

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti
Champion

hi @shalinibisht,

You can use eventstats to get the total number of users.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count(userId) as "Total Number of Users"

Tip: Always use index name(s) instead of * for the index query for better performance.

If this reply helps you, an upvote/like would be appreciated.

shalinibisht
Explorer

Hi @manjunathmeti,

Thanks for the resposne.

Eventstats is not working , its throwing an error argument invalid.

Yes I am using index=value(not to mention the name I made it asterik.)

Thanks

Shalini Bisht

 

0 Karma

manjunathmeti
Champion

Try this:

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count as "Total Number of Users"
0 Karma

shalinibisht
Explorer

Hi @manjunathmeti 

Thanks that worked!

I could the total count for userid, can the view be chnanged as it will show value multiple timesview.png

0 Karma

manjunathmeti
Champion

you can use stats values but I would not suggest it since you have more than 1000 events.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count as "Total Number of Users" | stats values(*) as *

 

 If these replies help you, likes would be appreciated.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...