Solved: Unique Users logged into host

GenericSplunkUs · ‎07-17-2019

I've got a search that's using two stats commands and I'm trying to find a way to get the same results without doubling up on the stats command. I've been searching for answers but I guess I'm not using the right keywords.

What I've got.
index=windowseventlogs EventID="4625" OR EventID="4776" OR EventID="4624" OR EventID="4777" AND NOT user="-" | stats count by user, host | stats count as user by host

Is there a better way to get this same result? I want to be able to list how many unique users logged into the host.

Thanks

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

View solution in original post

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

GenericSplunkUs · ‎07-17-2019

This is much better, thank you.

Unique Users logged into host

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Unique Users logged into host

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!