Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- count on 2 fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
06:15 AM
Hello,
The command Who returns me the log :
USERNAME LINE HOSTNAME TIME root pts/1 PC1.domain.com Oct 21 14:17 root pts/2 PC2.domain.com Oct 21 14:17 USER3 pts/4 PC3.domain.com Oct 17 17:19
host = HOSTA source = who sourcetype = who
I would like to know who is connecting to my servers and from which terminal. I use the command : index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by HOSTNAME, host.
Result =
HOSTNAME ↧ HOSTA↕
PC1.domain.com 48
PC2.domain.com 4
PC3.domain.com 2
But there is not the column USERNAME. I would like, a colum : Hostname,a column : Username, and the column : Host containing the count as it's done at the moment. It will be very cool if I could have the last day the couple USERNAME/Hostname has been seen.
Thanks for your help,
Regards,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
10-21-2013
06:36 AM
Have you tried:
index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by USERNAME,HOSTNAME,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
10-21-2013
06:36 AM
Have you tried:
index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by USERNAME,HOSTNAME,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
07:32 AM
YES!!!!
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
10-21-2013
07:18 AM
do stats instead of chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
06:41 AM
Yes,
but it returns me :
Error in 'chart' command: The argument 'host' is invalid.
It seems that if I put more than 2 fields after "chart count by", an error occurs....
Thanks,
Get Updates on the Splunk Community!
Index This | What did the zero say to the eight?
June 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...
This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
