Splunk Enterprise Security

Unique Users logged into host

GenericSplunkUs
Path Finder

I've got a search that's using two stats commands and I'm trying to find a way to get the same results without doubling up on the stats command. I've been searching for answers but I guess I'm not using the right keywords.

What I've got.
index=windowseventlogs EventID="4625" OR EventID="4776" OR EventID="4624" OR EventID="4777" AND NOT user="-" | stats count by user, host | stats count as user by host

Is there a better way to get this same result? I want to be able to list how many unique users logged into the host.

Thanks

0 Karma
1 Solution

adonio
Ultra Champion

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

View solution in original post

0 Karma

adonio
Ultra Champion

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

0 Karma

GenericSplunkUs
Path Finder

This is much better, thank you.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...