Splunk Search

How to count number of applications associated with a given user and report if less than 10?

beetlegeuse
Path Finder

I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session. 

For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:

 

 

index=foo sourcetype=bar | table sm_user_dn, sm_agentname

 

 

This is pretty basic, and shows me all the user name/app combinations that have been reported in the events. 

At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo 

beetlegeuse
Path Finder

Thank you...this did the trick!

0 Karma

beetlegeuse
Path Finder

Thank you @isoutamo ! One additional ask: What would be added to count the number of users that meet the "less than 10" criteria? Does the number returned in the "Statistics" tab header reflect that? 

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...