Solved: Unique Users logged into host

GenericSplunkUs · ‎07-17-2019

I've got a search that's using two stats commands and I'm trying to find a way to get the same results without doubling up on the stats command. I've been searching for answers but I guess I'm not using the right keywords.

What I've got.
index=windowseventlogs EventID="4625" OR EventID="4776" OR EventID="4624" OR EventID="4777" AND NOT user="-" | stats count by user, host | stats count as user by host

Is there a better way to get this same result? I want to be able to list how many unique users logged into the host.

Thanks

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

View solution in original post

adonio · ‎07-17-2019

maybe ... | stats dc(user) as unique_users values(user) as list_of_users count as total_logged_attempt by host ?

GenericSplunkUs · ‎07-17-2019

This is much better, thank you.

Unique Users logged into host

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)