Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unique users logging in each day chart / search

tylermonteith
Explorer
‎03-25-2024 07:31 AM

I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something.

Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search.

Search queries trialed:

EventCode=4624 user=* stats count by user  | stats dc(user) 

EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user

So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span.

Am I close?

Any help would be appreciated!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 09:13 AM

The distinct_count (dc) function will give the unique values of a field.

ErrorCode=4624 user!="*$"
| timechart span=1d dc(user) as "Unique Users"

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:21 PM

Thank you! If I could ask one more question I'm now wanting to filter that out a bit.

So when looking that up I'm told to do | where user!="SYSTEM" or something like that

EventCode=4624 user!="*$" 
| timechart span=1d dc(user) as "Unique Users" 
| where user!="SYSTEM"

So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values?

example:
| where user!="SYSTEM","Administrator","Guest", etc?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:43 PM

Can I use wildcard values in the IN command?

user IN (System Administrator Guest admin*)  So basically omit any user that starts with the word admin?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2024 01:10 PM

Try and see. Good thing about Splunk search is that it's hard to break something just by searching. 🙂

And yes, you can use wildcards with IN operator.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...