Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to showcase the count of devices and userlogged in?

Nagalakshmi
Path Finder
‎08-23-2023 11:53 AM

Hi Team,

We have users logging in multiple devices. So, we need to showcase the count of devices  and user logged in. Can you please advise the query for same.

 

Regards,

Nagalakshmi A

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎08-24-2023 05:31 PM

So it appears you want 2 counts? number of users per host and number of hosts per user. 

Your search of: 

index=M365 type=logged in
| stats count(username) as usernamecount by username,hostname

Gives just a count of the number of time the field username show up for events with a unique username and hostname combination. 

If you want unique number of users per hostname.. 

| stats dc(username) AS unique_users, count(username) AS total_logins by hostname 

Unique number of hosts per user.. 

| stats dc(hostname) AS unique_hosts, count(hostname) AS total_logins by username 

Combining them is a little more difficult. You could try: 

index=M365 type=logged in 
| eventstats dc(hostname)  AS host_count by username
 stats count(username) as usernamecount,max(host_count) AS host_count by username,hostname
| table username,hostname,unique_host_ct,unique_user_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-24-2023 11:03 AM

Hi,

for example index=M365 type=logged in | stats count(username) as usernamecount by username,hostname. by this query we are getting expected results such as username,hostname.

however we need a field where system count can be shown for the userloggedIn.


By trying below command, we are getting the number of times users logged in to the systems, but we require system count a user logged in

index=M365 type=logged in | stats count(username) as usernamecount by username,hostname
| where usernamecount>1

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2023 05:23 PM

Please give an example of your data

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-24-2023 11:47 AM

Hi @bowesmana 

for example index=M365 type=logged in | stats count(username) as usernamecount by username,hostname. by this query we are getting expected results such as username,hostname.

however we need a field where system count can be shown for the userloggedIn.


By trying below command, we are getting the number of times users logged in to the systems, but we require system count a user logged in

index=M365 type=logged in | stats count(username) as usernamecount by username,hostname
| where usernamecount>1

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2023 05:35 PM

Minor issue with the search is that the type=logged in is going to look for a field 'type' with a value of logged, and then the word in somewhere in the event. Maybe you mean

index=M365 type="logged in"

As for showing the count - do you mean you want to show the number of different users who have logged into the same hostname?

index=M365 type="logged in"
| stats count as usernamecount by username, hostname
| eventstats dc(username) as UniqueUsers by hostname

You don't need 'count(username)' which is counting the events that contain the username field for each user, but you are splitting by username, so its redundant. Just use "count"

 

0 Karma
Reply
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎08-24-2023 05:31 PM

So it appears you want 2 counts? number of users per host and number of hosts per user. 

Your search of: 

index=M365 type=logged in
| stats count(username) as usernamecount by username,hostname

Gives just a count of the number of time the field username show up for events with a unique username and hostname combination. 

If you want unique number of users per hostname.. 

| stats dc(username) AS unique_users, count(username) AS total_logins by hostname 

Unique number of hosts per user.. 

| stats dc(hostname) AS unique_hosts, count(hostname) AS total_logins by username 

Combining them is a little more difficult. You could try: 

index=M365 type=logged in 
| eventstats dc(hostname)  AS host_count by username
 stats count(username) as usernamecount,max(host_count) AS host_count by username,hostname
| table username,hostname,unique_host_ct,unique_user_count

0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎08-28-2023 03:39 AM

Thanks for your suggestions!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...