Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting the results of a Search?

MichaelCohen829
Explorer
‎05-09-2014 09:58 AM

Hello Splunk Community

I am trying to create a Search that will count the number of users who have a passed a certain number of threshold. In this case, I want to count the number of distinct UserIDs that has logged on more than 4 times.

The search I have so far will return each UserID and the number of times this User has logged in, only returning those who have logged in more than 4 times. What I want to do now is to do a count of those UserIDs, in other words I would like to search to return one number, then number of users who have logged in more than 4 times.

Any ideas?

Thanks,

Mike

sourcetype="logfile" Action="LoggedIn" | stats dc(StartTime) as xcount by UserId | where xcount>4 | sort xcount desc

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-09-2014 10:00 AM

This will do it

sourcetype="logfile" Action="LoggedIn" 
| stats dc(StartTime) as xcount by UserId 
| where xcount>4 
| stats count as "Number of Users Who have Logged in More than 4 Times"
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...