Splunk Search

How to get an accurate count of total users logged into Splunk today?

uddhav
New Member

Hi,
I am planning to display the distinct count of users logged into Splunk today.

I came across, following two searches :

search1:

index="_internal"  source=*access.log user!="-" */app/*|stats dc(user) as user

search2:

index="_internal" sourcetype=splunk_web_access | stats dc(user) as distinct_users

Both gives me the different count. Am not sure which one is correct one.

Other alternatives are also welcome.

Thanks in advance.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

It depends on what you're looking for. If you're looking for users logged into splunk via the web interface, use splunk_web_access. The other access logs would also include REST calls, possibly scheduled searches, etc.

Note that you'll also need to filter out some values, just like you filtered out user!="-" in the first search.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!