Re: How to search the number of distinct users by ...

tcalhoon · ‎09-10-2014

I am in need of a search that will display the number of Distinct users by index over the past 3 months. I have created the following search and run it over a 3month time span but I am wondering if this is the correct approach.

index=_audit NOT user="n/a" NOT user="splunk-system-user" action="search" info="granted" "search index=indexname" | timechart span=1mon count(_raw) by user

Please Advise
Thanks in Advance.

David · ‎09-10-2014

Unfortunately Splunk does not log this information today. Doing a search for index=* will only work if users specify an index each time. If you have a default set of indexes, that won't show up, and if they do something like index=prod-* to cover prod-windows, prod-linux, and prod-fw, you would not get accurate accounting. Ultimately, the big issue is the default indexes -- for most customers, all non-internal (and non-sensitive) indexes are searchable for the typical user role, so you wouldn't get any meaningful data.

bmacias84 · ‎09-11-2014

I agree with @David. This would not account for saved searches or where users used a wildcard or specified no index.

gschmitz · ‎09-10-2014

I don't think this covers saved searches. They look completely different in my _audit index.

How to search the number of distinct users by index over the past 3 months?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!