Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Better search string than this to count top logins by Company by date

bowesmana
SplunkTrust
SplunkTrust
‎12-09-2013 02:32 AM

My data consists of login events to a system. Each user belongs to a Company, of which there are 12 companies represented. The event date is the login time.

Fields are

Company - Company code
Co_Name - Company name
Name - User's name

I want a report to show :

For each company, the users with the most logged in days, i.e. only one login counts per day, during a given period.

I can achieve the top user per company like this

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | sort Co_Name, -Count | dedup Co_Name

but if there is a company with more than one user with the same number of logged in days, I will only get one, whereas I want all the users for that company with that max login count.

I tried this one

sourcetype=logins* | top showperc=false 1 Name, Company by Co_Name

but that does not take account of more than one login per day, which should only count 1.

I feel there would be a more correct way to achieve this other than my search string above...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-09-2013 02:44 AM

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-09-2013 02:44 AM

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-09-2013 03:21 AM

Perfect - thanks a lot martin!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...