Solved: Unique Users logged into host

GenericSplunkUs · ‎07-17-2019

I've got a search that's using two stats commands and I'm trying to find a way to get the same results without doubling up on the stats command. I've been searching for answers but I guess I'm not using the right keywords.

What I've got.
index=windowseventlogs EventID="4625" OR EventID="4776" OR EventID="4624" OR EventID="4777" AND NOT user="-" | stats count by user, host | stats count as user by host

Is there a better way to get this same result? I want to be able to list how many unique users logged into the host.

Thanks

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

View solution in original post

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

GenericSplunkUs · ‎07-17-2019

This is much better, thank you.

Unique Users logged into host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation