Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter for total number of users on an appliance?

Anthony3rd
Explorer
‎01-27-2023 08:51 AM

For Cisco I used the filter below, I will need to add filters for whatever view I am looking for.

I want to look up the total number of users for a specific day of the month on a host.

@

What do I need to add to my filter?

 

index="its_sslvpn" host=*SIRA* user=*@*

 

Thank you. 

Anthony

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 11:05 AM

Hi @Anthony3rd,

You can lower all usernames;

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| eval user=lower(user)
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 09:34 AM

 

Hi @Anthony3rd,

You can try below sample, it will show the unique user count on the 15th day of the month.

index="its_sslvpn" host=*SIRA* user=*@* date_mday=15
| stats dc(user) as user_count by date_month

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-27-2023 12:38 PM

scelikok  Can we check for duplicate names?  I'm probably pushing it.   Thank You 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 10:41 PM

Hi @Anthony3rd,

Could you please describe more about duplicate names? Since SSL VPN logs can have duplicates as normal. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

Anthony3rd
Explorer
‎01-27-2023 11:00 AM

scelikok

Some users will login like Thomas.Nolan and some will have thomas.nolan.   Would that show up as two users because of Caps?

And, Yes, I was able to use your Seach strings successfully.

Thank you so much.

Anthony

0 Karma
Reply
Solved! Jump to solution

Anthony3rd
Explorer
‎01-30-2023 05:54 AM

Thank you for your help scelikok.  In addition to all your help, I believe I found the additional cmd > dedup user

Anthony 

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...