Reporting

Autodesk - unique users per application

jeremyblalock
New Member

We ingest the debug logs from our Autodesk license servers into Splunk for license usage reporting/ pool exhaustion alerting, etc. I am trying to create a few reports to measure our unique user counts and maximum usage for our Autodesk licensing. I am getting some inconsistent results where the number of unique users is a lot lower than the max number of users over the same time frame. I feel like it is something wrong with the unique users query as the max users query results are pretty close to what I see in the live data. I am pretty new to Splunk so I suspect I am doing something wrong, but after many hours of trial and error I can not figure out what. The queries are below, I would appreciate any suggestions anyone may have.

Unique users per application query:

index="autodesk-licensing"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product"
| rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname"
| dedup Username
| addtotals
| stats count BY "Application"
| rename "count" AS "Total Unique Users"

Maximum usage query:
index="autodesk-licensing" sourcetype="lmutil"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "Autodesk License"
| timechart max(current_license_usage) span=8hours by "Autodesk License"
| eval date_wday=lower(strftime(_time,"%A"))
| where NOT (date_wday="saturday" OR date_wday="sunday")
| fields - date_wday

Labels (2)
0 Karma

alonsocaio
Contributor

HI,

 

I guess that when you use the "| dedup Username" you are removing all duplicate entries of users.

 

As an example, if user "John" uses app A and app B, dedup command will return only one of these apps. I think the best approach for the unique users per application is to use the "| stats dc()".

 

You can try something like:

index="autodesk-licensing"
| lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product"
| rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname"
| addtotals
| stats dc(Username) as "Total Unique Users" by "Application"

 

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...