Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unique users logging in each day chart / search

tylermonteith
Explorer
‎03-25-2024 07:31 AM

I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something.

Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search.

Search queries trialed:

EventCode=4624 user=* stats count by user  | stats dc(user) 

EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user

So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span.

Am I close?

Any help would be appreciated!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 09:13 AM

The distinct_count (dc) function will give the unique values of a field.

ErrorCode=4624 user!="*$"
| timechart span=1d dc(user) as "Unique Users"

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:21 PM

Thank you! If I could ask one more question I'm now wanting to filter that out a bit.

So when looking that up I'm told to do | where user!="SYSTEM" or something like that

EventCode=4624 user!="*$" 
| timechart span=1d dc(user) as "Unique Users" 
| where user!="SYSTEM"

So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values?

example:
| where user!="SYSTEM","Administrator","Guest", etc?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:43 PM

Can I use wildcard values in the IN command?

user IN (System Administrator Guest admin*)  So basically omit any user that starts with the word admin?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2024 01:10 PM

Try and see. Good thing about Splunk search is that it's hard to break something just by searching. 🙂

And yes, you can use wildcards with IN operator.

Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...