Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to get an accurate count of total users logged into Splunk today?

uddhav
New Member
‎07-11-2018 03:42 AM

Hi,
I am planning to display the distinct count of users logged into Splunk today.

I came across, following two searches :

search1:

index="_internal"  source=*access.log user!="-" */app/*|stats dc(user) as user

search2:

index="_internal" sourcetype=splunk_web_access | stats dc(user) as distinct_users

Both gives me the different count. Am not sure which one is correct one.

Other alternatives are also welcome.

Thanks in advance.

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How to get an accurate count of total users logged into Splunk today?

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 04:17 AM

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

View solution in original post

Reply