Splunk Search

Complex Pie Chart

hburton
Explorer

I'm sorry for the terrible subject. I can't think of a simplified title for what I'm trying to do.

I'm trying to graph wireless SSID utilization. I want to pie chart our SSIDs by counting unique users for each ssid based on RADIUS authentication logs.

The logs will contain..

1. A Reason-Code that lets me know that it is a successful authentication

2. A Called-Station-Id that I can extract the SSID from

3. A User-Name that I can use to get unique users

My first attempt is 

index=radius | xmlkv | search "Reason-Code"=0 | rex field="Called-Station-Id" ":(?<SSID>.+)" | stats count by SSID

This is getting close, but it's going to count users more than once if they authenticate more than once on the same SSID, which they will.

I know that dc("User-Name") will let me do distinct counting on the user, but I can't figure out how to put these together to get the number of unique users per SSID. I either don't understand the pipeline, or I'm trying to do something that can't be done this way.

To make it a little more complicated, I DO want to count the same user for each SSID. For example, if a user connects to ssid1 and then leaves and connects to ssid2, I would like to count them one time for each of the SSIDs.

Labels (1)
0 Karma
1 Solution

thambisetty
Super Champion
| stats dc("User-Name") by SSID
————————————
If this helps, give a like below.

View solution in original post

hburton
Explorer

Thank you. That works perfectly. I wish it hadn't been so simple though. I feel like a dumb* now. 

0 Karma

thambisetty
Super Champion

It's okay, sometimes it happens no worries. keep splunking.

————————————
If this helps, give a like below.
0 Karma

thambisetty
Super Champion
| stats dc("User-Name") by SSID
————————————
If this helps, give a like below.
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...