Help searching the keyword to select multiple user... - Splunk Community

Splunk Search

Hi guys,

I am using Splunk enterprise for monitoring the application name called Nextcloud.

Here I want to customize the dashboard for Nextcloud for that I have imported my nextcloud.log into my Splunk.

In my log file, it has user: xxxxx

I want to search the keyword to select multiple users from my log file to get the report I don't know what is keyword it is been used to pull the data. Can anyone help me with this?

Sample Keywords:

source="/xxx/xxx/xxx/nextcloud.log" host="nextcloud" sourcetype="Nextcloud" | search user= "*"

The above command works for every user but i want to get reports of only 2 users how do i do that?

Rather than use user="*" to search for all users, specify the list of users in an IN clause.

index=myindex source="/xxx/xxx/xxx/nextcloud.log" host="nextcloud" sourcetype="Nextcloud" user IN (foo bar)

---
If this reply helps you, Karma would be appreciated.

sory but I don't understand what you mean with "keyword".

in your sample, you define "keyword" four field conditions, maybe do you mean a condition?

or you want to know te users with more than one event?

or do you want to find a field values where there is more than one user, or what else?

Ciao.

Giuseppe

Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...