I need some help in formulating a complex search command. The requirement is to take one list (list2) of users and see which ones on the list don't match the ones on the other list (list1).
I have a set of events for users logins as per the below:
_time username loginStatus
2019-10-30 19:00:39.819 theCrazy1@gmail.com success
2019-10-30 19:00:28.266 theCrazy1@gmail.com fail
2019-10-30 19:00:13.158 theCrazy2@gmail.com success
2019-10-30 19:00:12.383 theCrazy2@gmail.com fail
2019-10-30 19:00:12.381 theCrazy3@gmail.com fail
2019-10-30 19:00:12.382 theCrazy4@gmail.com fail
2019-10-30 19:00:12.384 theCrazy5@gmail.com fail
2019-10-30 19:00:12.385 theCrazy6@gmail.com fail
2019-10-30 19:00:12.386 theCrazy7@gmail.com fail
As you can see from the above, some users have an event for successful logins as well as an event for failed logins. Some other users have only failed login events. I want to a search command that can return the below:
number of distinct users who have successful login events
|tstats dc(username) where loginStatus::success by loginStatus
number of distinct users who has failed login events but no successful login events
no idea how to do that based on 1 above
Based on the above, the result should be:
Could you please confirm the below:
- Can Splunk do that?
- If yes, what would be the most efficient way to do it?
- Can you give the exact search command based on the above?
The only thing I could come up with was the below which didn't work:
index=myindex loginStatus::success | table username |rename username AS username2 |dedup username2 sortBy username2 | append [search index= myindex loginStatus::fail | table username | dedup username sortBy username] | diff diff maxlen=0 attribute= username
... View more
I have just upgraded the Splunk Mobile App to version 1.4 but it requires Splunk Cloud Gateway 1.4 to be installed. When I tried to install it from splunkbase, I found that the latest version there is 1.3.1 not 1.4
Could you please upload the 1.4 version as my Mobile App doesn't work anymore?
... View more