I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something.
Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search.
Search queries trialed:
EventCode=4624 user=* stats count by user | stats dc(user)
EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user
So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span.
Am I close?
Any help would be appreciated!
Best Practice is to filter out events as early as possible, preferably before the first pipe. Multiple filters can be combined with (implicit) AND. Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).
EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"
The distinct_count (dc) function will give the unique values of a field.
ErrorCode=4624 user!="*$"
| timechart span=1d dc(user) as "Unique Users"
Thank you! If I could ask one more question I'm now wanting to filter that out a bit.
So when looking that up I'm told to do | where user!="SYSTEM" or something like that
EventCode=4624 user!="*$"
| timechart span=1d dc(user) as "Unique Users"
| where user!="SYSTEM"
So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values?
example:
| where user!="SYSTEM","Administrator","Guest", etc?
Best Practice is to filter out events as early as possible, preferably before the first pipe. Multiple filters can be combined with (implicit) AND. Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).
EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"
Can I use wildcard values in the IN command?
user IN (System Administrator Guest admin*) So basically omit any user that starts with the word admin?
Try and see. Good thing about Splunk search is that it's hard to break something just by searching. 🙂
And yes, you can use wildcards with IN operator.