Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter for total number of users on an appliance?

Anthony3rd
Explorer
‎01-27-2023 08:51 AM

For Cisco I used the filter below, I will need to add filters for whatever view I am looking for.

I want to look up the total number of users for a specific day of the month on a host.

@

What do I need to add to my filter?

 

index="its_sslvpn" host=*SIRA* user=*@*

 

Thank you. 

Anthony

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 11:05 AM

Hi @Anthony3rd,

You can lower all usernames;

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| eval user=lower(user)
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 09:34 AM

 

Hi @Anthony3rd,

You can try below sample, it will show the unique user count on the 15th day of the month.

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-27-2023 12:38 PM

scelikok  Can we check for duplicate names?  I'm probably pushing it.   Thank You 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 10:41 PM

Hi @Anthony3rd,

Could you please describe more about duplicate names? Since SSL VPN logs can have duplicates as normal. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-30-2023 05:54 AM

Thank you for your help scelikok.  In addition to all your help, I believe I found the additional cmd > dedup user

Anthony 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...