Solved: Re: How to get an accurate count of total users lo...

uddhav · ‎07-11-2018

Hi,
I am planning to display the distinct count of users logged into Splunk today.

I came across, following two searches :

search1:

index="_internal"  source=*access.log user!="-" */app/*|stats dc(user) as user

search2:

index="_internal" sourcetype=splunk_web_access | stats dc(user) as distinct_users

Both gives me the different count. Am not sure which one is correct one.

Other alternatives are also welcome.

Thanks in advance.

martin_mueller · ‎07-11-2018

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

View solution in original post

martin_mueller · ‎07-11-2018

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

How to get an accurate count of total users logged into Splunk today?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann