Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting how many days users logged into the server for the last 12 months

splunktrainingu
Communicator
‎02-09-2024 02:12 PM

Hello,

 

I am trying to count how many days out of the last 12 months our users logged into two of our servers.  And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.  

I have tried the "timechart span=1d count by Account_Name"    this looked promising but timechart groups Account_names in OTHER field that is misleading because there are other accounts in that field.

 

index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7)

| eval Account_Name = mvindex(Account_Name,1)
| timechart span=1d count by Account_Name
| untable _time Account_Name count

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-12-2024 02:16 PM
And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.  

If you are aggregating number of days over 12 months, why do you use timechart?  That splits output into individual days the user logged on, therefore the count is the number of times the user logged on each day, i.e., 4 times.

This is the aggregate

index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7)
| bucket _time span=1d@d
| eval Account_Name = mvindex(Account_Name,1)
| stats dc(_time) as count  by Account_Name

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-12-2024 02:16 PM
And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.  

If you are aggregating number of days over 12 months, why do you use timechart?  That splits output into individual days the user logged on, therefore the count is the number of times the user logged on each day, i.e., 4 times.

This is the aggregate

index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7)
| bucket _time span=1d@d
| eval Account_Name = mvindex(Account_Name,1)
| stats dc(_time) as count  by Account_Name
Tags (1)
0 Karma
Reply
Solved! Jump to solution

splunktrainingu
Communicator
‎02-13-2024 09:34 AM

What does the "1d@d" for span mean?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-13-2024 04:04 PM
What does the "1d@d" for span mean?

I'm just speculating that you want to count calendar days, not arbitrary 24-hour periods from the time of your search.  If not, lose that @d. (The "@" notation is called "snap-to".  See Specify a snap to time unit.)

Reply
Solved! Jump to solution

splunktrainingu
Communicator
‎02-14-2024 07:06 AM

Thank you for explaining this. I didn't know about this syntax.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 02:22 PM 
index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7)

| eval Account_Name = mvindex(Account_Name,1)
| timechart span=1d count by Account_Name useother=f limit=0
| untable _time Account_Name count
0 Karma
Reply
Solved! Jump to solution

splunktrainingu
Communicator
‎02-14-2024 07:07 AM

I am sorry this didn't work for me and I tried to get it to work. But I already have a solution.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...