Splunk Search
Highlighted

How to extract a list of unique users in a search and table count of successful and failed logins?

Communicator

This is my first time using splunk and I have 2 questions. First of all, say I have when I enter a certain search (" Login succeeded for user: ") I get the following 4 values.

  1. Login succeeded for user: a1b2
  2. Login succeeded for user: c3d4
  3. Login succeeded for user: e5f6
  4. Login succeeded for user: a1b2

Is there a way that I can modify this query so that I can get a list of unique users (e.g. a1b2, c3d4, e5f6)? Essentially, as soon as the log finds one user, I want it to discard any other result that comes back with the same user. I do not have access to the props file and so I don't think that I can modify indexes on a permanent basis.

Secondly, is there a way that I can take 2 related queries (index=spss " Login succeeded for user: ") and (index=spss " Login failed for user: ") and get a count of how many times each one has occurred in the timeframe (e.g. 24 hours)? I'd like to be able to put those two numbers next to each other in a graph or table.

Thanks in advance! I look forward to using this tool (platform?)

I am running splunk 5.0.9

Highlighted

Re: How to extract a list of unique users in a search and table count of successful and failed logins?

Influencer

First, you need to extract usernames into a field, lets say "USER" after which you can achieve the statistics you want

index=spss " Login succeeded for user: " | rex "(?i)user: (?P<USER>.*)"

Unique List of users


index=spss " Login succeeded for user: " earliest=-24h@h | rex "(?i)user: (?P<USER>.*)" | dedup USER | table USER

Number of occurrences of each user within 24hrs

index=spss " Login succeeded for user: " earliest=-24h@h  | rex "(?i)user: (?P<USER>.*)" | stats count by USER

View solution in original post