Splunk Search

count on 2 fields

sgsplunk78
Engager

Hello,

The command Who returns me the log :
USERNAME LINE HOSTNAME TIME root pts/1 PC1.domain.com Oct 21 14:17 root pts/2 PC2.domain.com Oct 21 14:17 USER3 pts/4 PC3.domain.com Oct 17 17:19

host = HOSTA source = who sourcetype = who

I would like to know who is connecting to my servers and from which terminal. I use the command : index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by HOSTNAME, host.
Result =

HOSTNAME ↧ HOSTA↕

PC1.domain.com 48

PC2.domain.com 4

PC3.domain.com 2

But there is not the column USERNAME. I would like, a colum : Hostname,a column : Username, and the column : Host containing the count as it's done at the moment. It will be very cool if I could have the last day the couple USERNAME/Hostname has been seen.

Thanks for your help,

Regards,

Tags (3)
0 Karma
1 Solution

lukejadamec
Super Champion

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host

View solution in original post

0 Karma

lukejadamec
Super Champion

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host
0 Karma

sgsplunk78
Engager

YES!!!!
Thanks a lot

0 Karma

aholzer
Motivator

do stats instead of chart

sgsplunk78
Engager

Yes,
but it returns me :
Error in 'chart' command: The argument 'host' is invalid.

It seems that if I put more than 2 fields after "chart count by", an error occurs....

Thanks,

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...