Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter for total number of users on an appliance?

Anthony3rd
Explorer
‎01-27-2023 08:51 AM

For Cisco I used the filter below, I will need to add filters for whatever view I am looking for.

I want to look up the total number of users for a specific day of the month on a host.

@

What do I need to add to my filter?

 

index="its_sslvpn" host=*SIRA* user=*@*

 

Thank you. 

Anthony

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 11:05 AM

Hi @Anthony3rd,

You can lower all usernames;

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| eval user=lower(user)
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 09:34 AM

 

Hi @Anthony3rd,

You can try below sample, it will show the unique user count on the 15th day of the month.

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-27-2023 12:38 PM

scelikok  Can we check for duplicate names?  I'm probably pushing it.   Thank You 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 10:41 PM

Hi @Anthony3rd,

Could you please describe more about duplicate names? Since SSL VPN logs can have duplicates as normal. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-30-2023 05:54 AM

Thank you for your help scelikok.  In addition to all your help, I believe I found the additional cmd > dedup user

Anthony 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...