Splunk Search

How to count number of applications associated with a given user and report if less than 10?

beetlegeuse
Path Finder

I'm working on a search that evaluates events for a specific index/sourcetype combination; the events reflect SSO information regarding user authentication success as well as applications the user has accessed while logged on. The search is a result of an ask to identify how many users have accessed 10 or fewer apps during their logon session. 

For the user, I'm using a field called "sm_user_dn"; for the app name, I'm using "sm_agentname". My search looks like this currently:

 

 

index=foo sourcetype=bar | table sm_user_dn, sm_agentname

 

 

This is pretty basic, and shows me all the user name/app combinations that have been reported in the events. 

At this point, how do I tally up the number of apps per user and only show the users which have nine or fewer apps associated with them?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

you can try this

index=foo sourcetype=bar 
| stats dc(sm_agentname) as appsCount by sm_user_dn
| where appsCount < 10

r. Ismo 

beetlegeuse
Path Finder

Thank you...this did the trick!

0 Karma

beetlegeuse
Path Finder

Thank you @isoutamo ! One additional ask: What would be added to count the number of users that meet the "less than 10" criteria? Does the number returned in the "Statistics" tab header reflect that? 

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...