I'm sorry for the terrible subject. I can't think of a simplified title for what I'm trying to do.
I'm trying to graph wireless SSID utilization. I want to pie chart our SSIDs by counting unique users for each ssid based on RADIUS authentication logs.
The logs will contain..
1. A Reason-Code that lets me know that it is a successful authentication
2. A Called-Station-Id that I can extract the SSID from
3. A User-Name that I can use to get unique users
My first attempt is
index=radius | xmlkv | search "Reason-Code"=0 | rex field="Called-Station-Id" ":(?<SSID>.+)" | stats count by SSID
This is getting close, but it's going to count users more than once if they authenticate more than once on the same SSID, which they will.
I know that dc("User-Name") will let me do distinct counting on the user, but I can't figure out how to put these together to get the number of unique users per SSID. I either don't understand the pipeline, or I'm trying to do something that can't be done this way.
To make it a little more complicated, I DO want to count the same user for each SSID. For example, if a user connects to ssid1 and then leaves and connects to ssid2, I would like to count them one time for each of the SSIDs.
| stats dc("User-Name") by SSID
Thank you. That works perfectly. I wish it hadn't been so simple though. I feel like a dumb* now.
It's okay, sometimes it happens no worries. keep splunking.
| stats dc("User-Name") by SSID