https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508356#M2530 <P><BR />Hello Splunkers!</P><P>&nbsp;Please find sample Log attached, in this UserId available. Based on this log need Splunk query to create dashboard/search query to get output.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sample Log.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9591iCE37E178A3F1C8A3/image-size/large?v=v2&amp;px=999" role="button" title="Sample Log.PNG" alt="Sample Log.PNG" /></span></P><P>1. The number of user logins on a Daily, Weekly or Monthly basis. (need a query for this)</P><P>2. The number of internal vs external user login trend.&nbsp;(need a query for this)</P><P>3. Peak user login time of the day.&nbsp;(need a query for this)</P><P>4. Peak user login day of the week.&nbsp;(need a query for this)</P><P>5. Average time spent on the Platform by Users.&nbsp;(need a query for this)</P> Thu, 09 Jul 2020 17:18:00 GMT phanichintha 2020-07-09T17:18:00Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508356#M2530 <P><BR />Hello Splunkers!</P><P>&nbsp;Please find sample Log attached, in this UserId available. Based on this log need Splunk query to create dashboard/search query to get output.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sample Log.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9591iCE37E178A3F1C8A3/image-size/large?v=v2&amp;px=999" role="button" title="Sample Log.PNG" alt="Sample Log.PNG" /></span></P><P>1. The number of user logins on a Daily, Weekly or Monthly basis. (need a query for this)</P><P>2. The number of internal vs external user login trend.&nbsp;(need a query for this)</P><P>3. Peak user login time of the day.&nbsp;(need a query for this)</P><P>4. Peak user login day of the week.&nbsp;(need a query for this)</P><P>5. Average time spent on the Platform by Users.&nbsp;(need a query for this)</P> Thu, 09 Jul 2020 17:18:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508356#M2530 phanichintha 2020-07-09T17:18:00Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508464#M2540 <DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><P>first of all to make this easier and not need a REX if you add | table* at the end does it put all those fields you want into individual tables and of so can you provide the header names of the columns they go into?&nbsp;</P> Fri, 10 Jul 2020 11:06:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508464#M2540 samneo 2020-07-10T11:06:23Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508846#M2579 <P>Hello,</P><P><STRONG>sourcetype="%forge%" source="/home/amadmin/log/authentication.audit.json" eventName=AM-LOGIN-COMPLETED OR eventName=AM-LOGOUT userId=*</STRONG></P><P><STRONG>Need a query for this:&nbsp;</STRONG><SPAN>Average time spent on the Platform by Users?</SPAN></P> Mon, 13 Jul 2020 16:37:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508846#M2579 phanichintha 2020-07-13T16:37:21Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508988#M2601 <P>anyone please update..</P> Tue, 14 Jul 2020 05:52:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508988#M2601 phanichintha 2020-07-14T05:52:17Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508997#M2603 <DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><P>Try something like the below</P><P>&nbsp;</P><P>| stats count avg(eventName) by userId</P><P>or</P><P>| eventstats avg(eventName) as events by userId</P><P>&nbsp;</P><P>Try one of them to see if it works for you</P> Tue, 14 Jul 2020 07:42:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/508997#M2603 samneo 2020-07-14T07:42:29Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509003#M2604 <P>Hello Samneo, Thanks for your query,</P><P>I tried for the first case, the snap shows like this. but I need Avg time spent on login and logout by user.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phanichintha_0-1594713123557.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9684i92A2698F8054E9FE/image-size/medium?v=v2&amp;px=400" role="button" title="phanichintha_0-1594713123557.png" alt="phanichintha_0-1594713123557.png" /></span></P><P>&nbsp;</P> Tue, 14 Jul 2020 07:55:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509003#M2604 phanichintha 2020-07-14T07:55:04Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509010#M2605 <DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><P>When you say time spent, do you want to calculate from the time they logged in and then out and then the total to show?&nbsp;</P> Tue, 14 Jul 2020 08:11:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509010#M2605 samneo 2020-07-14T08:11:04Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509011#M2606 <P>Yes, exactly which i mean.</P><P>Ex: each user spent how much time on work per day.</P> Tue, 14 Jul 2020 08:13:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509011#M2606 phanichintha 2020-07-14T08:13:09Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509166#M2611 <P>Hello Neo/ Anyone,</P><P>Can anyone please share your valuable help.</P> Wed, 15 Jul 2020 04:28:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509166#M2611 phanichintha 2020-07-15T04:28:13Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509460#M2647 <P>Hello, can anyone help on priority, well appreciated.</P> Thu, 16 Jul 2020 06:53:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509460#M2647 phanichintha 2020-07-16T06:53:49Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509643#M2672 <P>Hello, no one has answers for my questions I guess.</P> Fri, 17 Jul 2020 05:19:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509643#M2672 phanichintha 2020-07-17T05:19:53Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509793#M2686 <P data-unlink="true">Hi&nbsp;phanichintha,</P> <P><SPAN style="font-weight: 400;">This question has been answered and is marked as solved. If you need help with a separate issue, please post a brand new question so your issue can get more visibility.</SPAN></P> Fri, 17 Jul 2020 20:37:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Dashboard-Search-Query-Alert/m-p/509793#M2686 sensitive-thug 2020-07-17T20:37:52Z