Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- count on 2 fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
06:15 AM
Hello,
The command Who returns me the log :
USERNAME LINE HOSTNAME TIME root pts/1 PC1.domain.com Oct 21 14:17 root pts/2 PC2.domain.com Oct 21 14:17 USER3 pts/4 PC3.domain.com Oct 17 17:19
host = HOSTA source = who sourcetype = who
I would like to know who is connecting to my servers and from which terminal. I use the command : index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by HOSTNAME, host.
Result =
HOSTNAME ↧ HOSTA↕
PC1.domain.com 48
PC2.domain.com 4
PC3.domain.com 2
But there is not the column USERNAME. I would like, a colum : Hostname,a column : Username, and the column : Host containing the count as it's done at the moment. It will be very cool if I could have the last day the couple USERNAME/Hostname has been seen.
Thanks for your help,
Regards,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
10-21-2013
06:36 AM
Have you tried:
index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by USERNAME,HOSTNAME,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
10-21-2013
06:36 AM
Have you tried:
index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by USERNAME,HOSTNAME,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
07:32 AM
YES!!!!
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
10-21-2013
07:18 AM
do stats instead of chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgsplunk78
Engager
10-21-2013
06:41 AM
Yes,
but it returns me :
Error in 'chart' command: The argument 'host' is invalid.
It seems that if I put more than 2 fields after "chart count by", an error occurs....
Thanks,
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
