Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible ot get a unique user listing with sourcetype="who"?

splunk4steve
New Member
‎04-12-2013 12:02 PM

I am trying to get a list of people who have logged in to our system in the last 24 hours. The unix app runs a script that generates this every 10 minutes or so. This is fine however I only need to see the information once...not the same list of users over and over again.

Is it possible to do a unique search with that sourcetype?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:23 PM

There are several ways of making results unique. You could do a stats/chart/timechart by user, or run them over values(user), or use dedup, maybe more.

0 Karma
Reply

splunk4steve
New Member
‎04-12-2013 12:53 PM

Close! I think this might work:

index="os" sourcetype="who" host="*.domain.com" | dedup host

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:47 PM

So... this?

some search over 24 hours | table user | dedup
0 Karma
Reply

splunk4steve
New Member
‎04-12-2013 12:45 PM

I am basically trying to get a listing of all users who have logged in to a particular server over a period of 24 hours. I don't need to see that 'martin' logged in at 8:00am over and over again...I only need to see it once.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:39 PM

What result are you trying to achieve from what data?

0 Karma
Reply

splunk4steve
New Member
‎04-12-2013 12:31 PM

I've tried using dedup. The problem is that the initial time/date stamp that Splunk adds makes it unique. Is there some way to filter that out?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...