Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter the Userid to show once per minute?

moiezuddin
Explorer
‎04-06-2015 06:54 AM

In the index for siteminder called cams_prod, there are traced filed with the type smtrace. Using these trace files find the logs for the application using 'Center realm’. Then created a regular expression to mine the User id. You will notice that Userids are able to be found many times each minute. We need to fiter this so it only shows once per minute.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

NOUMSSI
Builder
‎04-06-2015 06:48 PM

Hi,
to show only one Userid per minute, in your query use this function dc by this way:

...|stats dc(Userid) by ...

Or

...|timechart dc(Userid) by ...

View solution in original post

Reply
Solved! Jump to solution
Solution

NOUMSSI
Builder
‎04-06-2015 06:48 PM

Hi,
to show only one Userid per minute, in your query use this function dc by this way:

...|stats dc(Userid) by ...

Or

...|timechart dc(Userid) by ...

Reply
Solved! Jump to solution

krishnacasso
Path Finder
‎03-01-2016 12:07 PM

Hi Moiezuddin,

Thanks For the question,
I new to splunk, Trying to develop some sample siteminder dashboards as a poc,
Hope you have some Idea on the smaccess log and smps log,

Using Smps log, We are trying to develop some alerts for the performance monitoring of siteminder.
Can you please explain if you have done any in your environment.

Was It possible to create a table like total number users have accessed a particular application in 24 hours time period using azaccept and uid in smaccess.log

Thanks,

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎04-07-2015 01:57 AM

index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count

With the above query, I noticed that USER_id are able to be found many times each minute.

I need to fiter this in such a way that it only needs to shows once per minute.

Kindly help

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎04-07-2015 03:02 AM

Ok guy,

Try this with the commande dedup:

 ...|stats dc(User_id) by ... | dedup USER_id sortby +_time

Or this with commande uniq:

index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count |uniq
0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎04-07-2015 03:39 AM

Thanks a lot , its working fine.

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎04-07-2015 03:59 AM

No mention. I'm here to help you solve your problems

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎04-06-2015 07:36 AM

Could you post some sample data, your current search, and a mock-up of your desired output please?

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎04-07-2015 12:11 AM

index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count

With the above query, I noticed that USER_id are able to be found many times each minute.

I need to fiter this in such a way that it only needs to shows once per minute.

Kindly help

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...