Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to showcase the count of devices and userlogged in?

Nagalakshmi
Path Finder
‎08-23-2023 11:53 AM

Hi Team,

We have users logging in multiple devices. So, we need to showcase the count of devices  and user logged in. Can you please advise the query for same.

 

Regards,

Nagalakshmi A

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎08-24-2023 05:31 PM

So it appears you want 2 counts? number of users per host and number of hosts per user. 

Your search of: 

index=M365 type=logged in
| stats count(username) as usernamecount by username,hostname

Gives just a count of the number of time the field username show up for events with a unique username and hostname combination. 

If you want unique number of users per hostname.. 

| stats dc(username) AS unique_users, count(username) AS total_logins by hostname 

Unique number of hosts per user.. 

| stats dc(hostname) AS unique_hosts, count(hostname) AS total_logins by username 

Combining them is a little more difficult. You could try: 

index=M365 type=logged in 
| eventstats dc(hostname)  AS host_count by username
 stats count(username) as usernamecount,max(host_count) AS host_count by username,hostname
| table username,hostname,unique_host_ct,unique_user_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-24-2023 11:03 AM

Hi,

for example index=M365 type=logged in | stats count(username) as usernamecount by username,hostname. by this query we are getting expected results such as username,hostname.

however we need a field where system count can be shown for the userloggedIn.


By trying below command, we are getting the number of times users logged in to the systems, but we require system count a user logged in

index=M365 type=logged in | stats count(username) as usernamecount by username,hostname
| where usernamecount>1

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2023 05:23 PM

Please give an example of your data

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-24-2023 11:47 AM

Hi @bowesmana 

for example index=M365 type=logged in | stats count(username) as usernamecount by username,hostname. by this query we are getting expected results such as username,hostname.

however we need a field where system count can be shown for the userloggedIn.


By trying below command, we are getting the number of times users logged in to the systems, but we require system count a user logged in

index=M365 type=logged in | stats count(username) as usernamecount by username,hostname
| where usernamecount>1

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2023 05:35 PM

Minor issue with the search is that the type=logged in is going to look for a field 'type' with a value of logged, and then the word in somewhere in the event. Maybe you mean

index=M365 type="logged in"

As for showing the count - do you mean you want to show the number of different users who have logged into the same hostname?

index=M365 type="logged in"
| stats count as usernamecount by username, hostname
| eventstats dc(username) as UniqueUsers by hostname

You don't need 'count(username)' which is counting the events that contain the username field for each user, but you are splitting by username, so its redundant. Just use "count"

 

0 Karma
Reply
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎08-24-2023 05:31 PM

So it appears you want 2 counts? number of users per host and number of hosts per user. 

Your search of: 

index=M365 type=logged in
| stats count(username) as usernamecount by username,hostname

Gives just a count of the number of time the field username show up for events with a unique username and hostname combination. 

If you want unique number of users per hostname.. 

| stats dc(username) AS unique_users, count(username) AS total_logins by hostname 

Unique number of hosts per user.. 

| stats dc(hostname) AS unique_hosts, count(hostname) AS total_logins by username 

Combining them is a little more difficult. You could try: 

index=M365 type=logged in 
| eventstats dc(hostname)  AS host_count by username
 stats count(username) as usernamecount,max(host_count) AS host_count by username,hostname
| table username,hostname,unique_host_ct,unique_user_count

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-28-2023 03:39 AM

Thanks for your suggestions!!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...