Help searching the keyword to select multiple user... - Splunk Community

Splunk Search

Hi guys,

I am using Splunk enterprise for monitoring the application name called Nextcloud.

Here I want to customize the dashboard for Nextcloud for that I have imported my nextcloud.log into my Splunk.

In my log file, it has user: xxxxx

I want to search the keyword to select multiple users from my log file to get the report I don't know what is keyword it is been used to pull the data. Can anyone help me with this?

Sample Keywords:

source="/xxx/xxx/xxx/nextcloud.log" host="nextcloud" sourcetype="Nextcloud" | search user= "*"

The above command works for every user but i want to get reports of only 2 users how do i do that?

Rather than use user="*" to search for all users, specify the list of users in an IN clause.

index=myindex source="/xxx/xxx/xxx/nextcloud.log" host="nextcloud" sourcetype="Nextcloud" user IN (foo bar)

---
If this reply helps you, Karma would be appreciated.

sory but I don't understand what you mean with "keyword".

in your sample, you define "keyword" four field conditions, maybe do you mean a condition?

or you want to know te users with more than one event?

or do you want to find a field values where there is more than one user, or what else?

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...