Hello Splunk Community
I am trying to create a Search that will count the number of users who have a passed a certain number of threshold. In this case, I want to count the number of distinct UserIDs that has logged on more than 4 times.
The search I have so far will return each UserID and the number of times this User has logged in, only returning those who have logged in more than 4 times. What I want to do now is to do a count of those UserIDs, in other words I would like to search to return one number, then number of users who have logged in more than 4 times.
Any ideas?
Thanks,
Mike
sourcetype="logfile" Action="LoggedIn" | stats dc(StartTime) as xcount by UserId | where xcount>4 | sort xcount desc
This will do it
sourcetype="logfile" Action="LoggedIn"
| stats dc(StartTime) as xcount by UserId
| where xcount>4
| stats count as "Number of Users Who have Logged in More than 4 Times"