Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

user success and failure login by month

navan1
Explorer
Tuesday

Hello Team, 

 

How to search specific app user successful and failure events by month for Jan to Dec?

Base search,

 

index=my_index app=a  | table app action  user |eval Month=strftime(_time,"%m") |stats count by user Month

I am not getting any result by above search.

 

 

Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Tuesday

OK. The important thing here is _why_ you're not getting results so this is a learning experience.

Let's dig into your search (which is actually pretty close to being OK for the task).

 

 

index=my_index app=a

 

 

That's apparently your initial search, nothing to see here. Move along.

 

 

| table app action  user

 

 

Now you're making a table containing just fields app, action and user.

This is a wrong approach. On two levels.

One - this is a table command which might not make much difference in a small-scale scenario, especially when everything is done on a single server but, very importantly, table is a transforming command which means that in a bigger environment, with several indexers and separate search head your search would at this point be moved from the indexer tier (when the same operation can be run in parallel by each indexer on its own part of data) to the search head. So avoid using the table command early on in your pipeline. If you want to limit processed fields, use fields command. And remember that when using fast search mode only the fields used in the search are extracted and displayed so this intermediate limiting of processed fields might be useful in more complicated searches but in this case (and we'll go back to this shortly), it doesn't make much sense.

Two - and that will be important soon - after this command you are left with just those three explicitly requested fields. While the fields command by default drags along the internal fields unless you explicitly exclude them (most importantly _time and _raw), the table command only returns the explicitly specified fields.

 

 

|eval Month=strftime(_time,"%m")

 

 

The overall idea is sound - you want to get a field called Month containing a string representation of your month. The problem is that in a previous step you removed the _time field from your data. So you don't have the timestamp anymore and you have nothing to render into this month-string.

BTW, whenever manipulating timestamps in a middle of a search, I prefer to use fieldformat instead of eval so that you still have your original timestamps and can do arithmetics on them without needing to parse them again or can sort them but that's a story for another time.

 

 

|stats count by user Month

 

 

And that would be a good thing but in the previous step you didn't get any values for Month. So Splunk cannot group by Month because there is no Month. So you're not getting any values at all.

Since you're doing the counting quite early, you could have simply omitted the table command earlier since the stats will be limited to the count value and the "by-fields" only.

And you're missing the action part - you want the actions separately, right? So you can't aggregate them for a single user. You must add the action field to the by fields.

So your search could finally look like this:

 

 

index=my_index app=a
|eval Month=strftime(_time,"%m")
|stats count by user action Month

 

 

 

Reply

kiran_panchavat
Builder
Tuesday

@navan1 If you want to check from past one year, you can try this. 

kiran_panchavat_0-1736273701166.pngkiran_panchavat_1-1736273740378.png

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Please, don't forget to accept this solution if it fits your needs.

0 Karma
Reply

navan1
Explorer
Tuesday

Hello Kiran,

 

I am getting below error,

 

navan1_0-1736274425786.png

 

0 Karma
Reply

kiran_panchavat
Builder
Tuesday

@navan1 

You should include a space before AS. Please refer to this query as an example.

index=test
earliest=-365d latest=now
| eval Month=strftime(_time, "%Y-%m")
| stats dc(eval (action="success")) AS Success_Users dc( eval(action="failure")) AS Failure_Users BY Month
| sort Month

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Please, don't forget to accept this solution if it fits your needs.

0 Karma
Reply

kiran_panchavat
Builder
Tuesday

@navan1 

Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement. 

kiran_panchavat_0-1736272259380.png

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

 

0 Karma
Reply

navan1
Explorer
Tuesday

Hello Kiran, 

Here the action has two fields,

Success and failure, I need to list success and failure user by month for past one year.

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...