Splunk Search

How to get an accurate count of total users logged into Splunk today?

uddhav
New Member

Hi,
I am planning to display the distinct count of users logged into Splunk today.

I came across, following two searches :

search1:

index="_internal"  source=*access.log user!="-" */app/*|stats dc(user) as user

search2:

index="_internal" sourcetype=splunk_web_access | stats dc(user) as distinct_users

Both gives me the different count. Am not sure which one is correct one.

Other alternatives are also welcome.

Thanks in advance.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

 Take Your Network Visibility to the Next LevelIn today’s complex IT environments, performance issues can stem ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...