I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session.
For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:
index=foo sourcetype=bar | table sm_user_dn, sm_agentname
This is pretty basic, and shows me all the user name/app combinations that have been reported in the events.
At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?