Solved: Complex Pie Chart

hburton · ‎09-12-2020

I'm sorry for the terrible subject. I can't think of a simplified title for what I'm trying to do.

I'm trying to graph wireless SSID utilization. I want to pie chart our SSIDs by counting unique users for each ssid based on RADIUS authentication logs.

The logs will contain..

1. A Reason-Code that lets me know that it is a successful authentication

2. A Called-Station-Id that I can extract the SSID from

3. A User-Name that I can use to get unique users

My first attempt is

index=radius | xmlkv | search "Reason-Code"=0 | rex field="Called-Station-Id" ":(?<SSID>.+)" | stats count by SSID

This is getting close, but it's going to count users more than once if they authenticate more than once on the same SSID, which they will.

I know that dc("User-Name") will let me do distinct counting on the user, but I can't figure out how to put these together to get the number of unique users per SSID. I either don't understand the pipeline, or I'm trying to do something that can't be done this way.

To make it a little more complicated, I DO want to count the same user for each SSID. For example, if a user connects to ssid1 and then leaves and connects to ssid2, I would like to count them one time for each of the SSIDs.

thambisetty · ‎09-12-2020

| stats dc("User-Name") by SSID

————————————
If this helps, give a like below.

View solution in original post

hburton · ‎09-13-2020

Thank you. That works perfectly. I wish it hadn't been so simple though. I feel like a dumb* now.

thambisetty · ‎09-13-2020

It's okay, sometimes it happens no worries. keep splunking.

————————————
If this helps, give a like below.

thambisetty · ‎09-12-2020

| stats dc("User-Name") by SSID

————————————
If this helps, give a like below.

Complex Pie Chart

chart

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life