Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to list how many users who have disconnected 10 or more times per time selected

Madmax
Path Finder
‎11-02-2023 07:26 AM

I can get total disconnects but can't seem to find a way to get total of how may users who disconnected 10 or more times.  

 

Here is my search: 

 index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=host2) OR host=Host1) earliest=$time_tok.earliest$ latest=$time_tok.latest$
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds 

| rename IONS as "User ID" Device as "User Device"
| convert timeformat="%m-%d-%Y" ctime(_time) AS date
|timechart span=1d limit=0 , count


 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Madmax
Path Finder
‎11-03-2023 05:40 AM

I found the solution and wanted to post it here.  I added Device name which then allowed me to use IONS (User ID), to get the total count.  My new challenge is to get these stats on a per day basis in a line chart.  Perhaps someone can give me some ideas. 

| stats count by Device IONS
| where count >= 10
| appendpipe [|stats count as IONS | eval Device="Total"]

View solution in original post

Reply
Solved! Jump to solution
Solution

Madmax
Path Finder
‎11-03-2023 05:40 AM

I found the solution and wanted to post it here.  I added Device name which then allowed me to use IONS (User ID), to get the total count.  My new challenge is to get these stats on a per day basis in a line chart.  Perhaps someone can give me some ideas. 

| stats count by Device IONS
| where count >= 10
| appendpipe [|stats count as IONS | eval Device="Total"]
Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-02-2023 09:41 AM

I also played around with the addcoltotals command but that only gives me the totals of the count.  I need the total of "User ID" 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2023 08:25 AM

The stats command can count the number of disconnects for each user.  Then filter out users with fewer than ten disconnects.

 index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=host2) OR host=Host1) earliest=$time_tok.earliest$ latest=$time_tok.latest$
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds 
| stats count by IONS
| where count >= 10
| rename IONS as "User ID"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-02-2023 08:44 AM

That lists all USer IDs that have over 10 disconnects.  I need the total number of users that have disconnected in that time frame.  I essentially need to add the number of USER IDs that have over 10. Just one number. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2023 10:09 AM

To get a total number of users, use the stats command again.

...
| stats count by IONS
| where count >= 10
``` So far we have one result per user.  Count the number of results to get the number of users. ```
| stats count as IONS
| rename IONS as "User IDs"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2023 08:00 AM
How about add 'by "User ID"' to the end of timechart?
0 Karma
Reply
Solved! Jump to solution

Madmax
Path Finder
‎11-02-2023 08:47 AM

I tried that but it gives a blank box.  No data. 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...