Hi all,
I am trying to get a count of all users signed into our VPN. While this is easy, i need it broken out based on the users role into Sysadmin, Students, and Employees. The catch is management wants the Employees number to be a sum total of the Employees, Research, and Administrators, but NOT to include Sysadmins and students. All of these roles are results from the (you guessed it) "roles" field extraction.
index=pulsesecure vendor_action=Closed OR vendor_action=ended OR vendor_action=succeeded OR "Logout" OR "Max session timeout" OR vendor_action=started
| eval user = user. " " . src_ip
| sort -_time
| table user, roles, vendor_action, action, _time, src_ip
| dedup user
| search vendor_action=succeeded OR vendor_action=started
| stats count(user) by roles
This query gives us all the information that is being asked. I just need to get the 3 specific entries all added together from roles.
... View more