Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unique users logging in each day chart / search

tylermonteith
Explorer
‎03-25-2024 07:31 AM

I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something.

Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search.

Search queries trialed:

EventCode=4624 user=* stats count by user  | stats dc(user) 

EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user

So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span.

Am I close?

Any help would be appreciated!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 09:13 AM

The distinct_count (dc) function will give the unique values of a field.

ErrorCode=4624 user!="*$"
| timechart span=1d dc(user) as "Unique Users"

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:21 PM

Thank you! If I could ask one more question I'm now wanting to filter that out a bit.

So when looking that up I'm told to do | where user!="SYSTEM" or something like that

EventCode=4624 user!="*$" 
| timechart span=1d dc(user) as "Unique Users" 
| where user!="SYSTEM"

So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values?

example:
| where user!="SYSTEM","Administrator","Guest", etc?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2024 12:41 PM

Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used).

EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest)
| timechart span=1d dc(user) as "Unique Users"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎03-25-2024 12:43 PM

Can I use wildcard values in the IN command?

user IN (System Administrator Guest admin*)  So basically omit any user that starts with the word admin?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2024 01:10 PM

Try and see. Good thing about Splunk search is that it's hard to break something just by searching. 🙂

And yes, you can use wildcards with IN operator.

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...