Is it possible ot get a unique user listing with s...

splunk4steve · ‎04-12-2013

I am trying to get a list of people who have logged in to our system in the last 24 hours. The unix app runs a script that generates this every 10 minutes or so. This is fine however I only need to see the information once...not the same list of users over and over again.

Is it possible to do a unique search with that sourcetype?

martin_mueller · ‎04-12-2013

There are several ways of making results unique. You could do a stats/chart/timechart by user, or run them over values(user), or use dedup, maybe more.

splunk4steve · ‎04-12-2013

Close! I think this might work:

index="os" sourcetype="who" host="*.domain.com" | dedup host

martin_mueller · ‎04-12-2013

So... this?

some search over 24 hours | table user | dedup

splunk4steve · ‎04-12-2013

I am basically trying to get a listing of all users who have logged in to a particular server over a period of 24 hours. I don't need to see that 'martin' logged in at 8:00am over and over again...I only need to see it once.

martin_mueller · ‎04-12-2013

What result are you trying to achieve from what data?

splunk4steve · ‎04-12-2013

I've tried using dedup. The problem is that the initial time/date stamp that Splunk adds makes it unique. Is there some way to filter that out?

Is it possible ot get a unique user listing with sourcetype="who"?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...