Solved: Re: Is there a way to get the number to only show ...

supersnedz · ‎03-28-2023

Hello all, im looking to create a dashboard for certain accounts. I have a list of 20 accounts that need to be monitored if they are logging in or not. I did a stats count and can see all the accounts however putting this into a single value visualization shows a count for all the logs so its showing as millions as its counting each log for the accounts.

Is there a way to get the number to only show if it sees an account rather than account and every log associated with it, I should only have a max of 20.

Thank you

srauhala_splunk · ‎03-29-2023

To not search events from all account you could use a csv file as a base for your search filter. The subsearch will output the result of accounts.csv in the form ((account="account_1") OR (account="account_2") etc )

index=my_index_with_account_data 
  [| inputlookup accounts.csv
   | table account
   | format]
| table _time, account, *

/Seb

View solution in original post

srauhala_splunk · ‎03-29-2023

To not search events from all account you could use a csv file as a base for your search filter. The subsearch will output the result of accounts.csv in the form ((account="account_1") OR (account="account_2") etc )

index=my_index_with_account_data 
  [| inputlookup accounts.csv
   | table account
   | format]
| table _time, account, *

/Seb

supersnedz · ‎04-27-2023

Thank you for this! works perfectly

ITWhisperer · ‎03-28-2023

| stats count by account
| stats count

Is there a way to get the number to only show if it sees an account rather than account and every log associated with it

chart

stats

tstats

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk