- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to identify users (UID) that use program A...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got users using 2 apps that I'm pulling from, and I'm looking at login reports. Given that the users have unique IDs (UID) and unique app names (AppName), I want to figure out which unique users are using app A but NOT using app B. They can be using both, and I want to see which users have never used app B.
Is this possible through Splunk, or do I need to print them to a CSV and go from there?
Thanks for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Try a simple sub-search to exclude users:
index=my_index AND AppName="A" AND NOT
[
search index=my_index AppName="B" | dedup UID | fields UID
]
| dedup UID | table UID
The sub-search will basically list every unique UID that used App B, so we get the results and exclude from the users using app A. Now, if you have a user that never used App A neither App B, it won't show... if that might be a problem you need to use another source, list a list of UIDs instead of start with users using App A. Hope it all makes sense for you.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Try a simple sub-search to exclude users:
index=my_index AND AppName="A" AND NOT
[
search index=my_index AppName="B" | dedup UID | fields UID
]
| dedup UID | table UID
The sub-search will basically list every unique UID that used App B, so we get the results and exclude from the users using app A. Now, if you have a user that never used App A neither App B, it won't show... if that might be a problem you need to use another source, list a list of UIDs instead of start with users using App A. Hope it all makes sense for you.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, this has it for me. Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, you got it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Musskopf!
So, let's see if I understand correctly -
--
index=my_index AND AppName="A" -- finding the users that use app "A"
[ search index=my_index AppName="B" | dedup UID | fields UID ] -- find all users using app "B", remove duplicates, strip all other fields
--
index=my_index AND AppName="A" AND NOT [ search index=my_index AppName="B" | dedup UID | fields UID ]
This combination I'm a little confused about, but if I'm correct this is saying 'if a given item is in the app "A" group, AND NOT in the app "B" group?
--
Then you take all of it, strip the duplicates, and make a table.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
