Solved: count on 2 fields

sgsplunk78 · ‎10-21-2013

Hello,

The command Who returns me the log :
USERNAME LINE HOSTNAME TIME root pts/1 PC1.domain.com Oct 21 14:17 root pts/2 PC2.domain.com Oct 21 14:17 USER3 pts/4 PC3.domain.com Oct 17 17:19

host = HOSTA source = who sourcetype = who

I would like to know who is connecting to my servers and from which terminal. I use the command : index=Logs source="who" (host=HOSTA) | multikv forceheader=1 | chart count by HOSTNAME, host.
Result =

HOSTNAME ↧ HOSTA↕

PC1.domain.com 48

PC2.domain.com 4

PC3.domain.com 2

But there is not the column USERNAME. I would like, a colum : Hostname,a column : Username, and the column : Host containing the count as it's done at the moment. It will be very cool if I could have the last day the couple USERNAME/Hostname has been seen.

Thanks for your help,

Regards,

lukejadamec · ‎10-21-2013

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host

View solution in original post

lukejadamec · ‎10-21-2013

Have you tried:

index=Logs source="who" (host=HOSTA) | multikv forceheader=1  | chart count by USERNAME,HOSTNAME,host

sgsplunk78 · ‎10-21-2013

YES!!!!
Thanks a lot

aholzer · ‎10-21-2013

do stats instead of chart

sgsplunk78 · ‎10-21-2013

Yes,
but it returns me :
Error in 'chart' command: The argument 'host' is invalid.

It seems that if I put more than 2 fields after "chart count by", an error occurs....

Thanks,

count on 2 fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation