Solved: Re: How to count number of applications associated...

beetlegeuse · ‎09-14-2022

I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session.

For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:

index=foo sourcetype=bar | table sm_user_dn, sm_agentname

This is pretty basic, and shows me all the user name/app combinations that have been reported in the events.

At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?

isoutamo · ‎09-14-2022

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo

View solution in original post

isoutamo · ‎09-14-2022

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo

beetlegeuse · ‎09-19-2022

Thank you...this did the trick!

beetlegeuse · ‎09-14-2022

Thank you @isoutamo ! One additional ask: What would be added to count the number of users that meet the "less than 10" criteria? Does the number returned in the "Statistics" tab header reflect that?

How to count number of applications associated with a given user and report if less than 10?

table

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter