Hi,
I am planning to display the distinct count of users logged into Splunk today.
I came across, following two searches :
search1:
index="_internal" source=*access.log user!="-" */app/*|stats dc(user) as user
search2:
index="_internal" sourcetype=splunk_web_access | stats dc(user) as distinct_users
Both gives me the different count. Am not sure which one is correct one.
Other alternatives are also welcome.
Thanks in advance.
It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access
. The other access logs would also include REST calls, possibly scheduled searches, etc.
Note that you'll also need to filter out some values, just like you filtered out user!="-"
in the first search.
It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access
. The other access logs would also include REST calls, possibly scheduled searches, etc.
Note that you'll also need to filter out some values, just like you filtered out user!="-"
in the first search.