Splunk search for Count of Unique linux users
Copy
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | statsdc(User) as "Unique Users"
This search will provide a count of unique linux users. This search will not list out the names of the users or the hosts which they are operating on, purely a number of unique users present on any linux hosts reporting data to Splunk.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment