Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter unique logins over specific time spans?

zsizemore
Path Finder
‎06-22-2016 10:28 AM

I couldn't exactly figure out how to phrase my question..

I'm working with data of users logging into a service from different places all around the world. What I'm trying to do is categorize and display the logins as very short term (all accesses w/in 24 hours), short term (all accesses w/in 7 days), and long term or repeat visitor (accesses over a more than 7 day period).

I'm new to Splunk so my starting point is 

| stats dc(User) as usercount count by IP_address 
| sort 0 -count 
| head 100
| iplocation IP_address
| table Country Region City usercount count 
| where isnotnull( City )

Any help or guidance would be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-22-2016 11:39 AM

See if this gives you any ideas...

... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-22-2016 11:39 AM

See if this gives you any ideas...

... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |
0 Karma
Reply
Solved! Jump to solution

zsizemore
Path Finder
‎06-22-2016 12:57 PM

Thanks for the quick response -- I tried that code and got an "Error in 'stats command: The argument 'login' is invalid."

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-22-2016 01:06 PM

There's first_login and last_login, there's not login. Can you post your search

0 Karma
Reply
Solved! Jump to solution

zsizemore
Path Finder
‎06-22-2016 01:12 PM

I was able to get it to run but there was no results found under Statistics so I'm not sure what went wrong.

Edit: I had to change the capitalization for some of the variables but i'm getting results now!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-22-2016 02:41 PM

Great! Please accept the answer to close it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...