https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296137#M162879 <P>I converted it to an answer. But as I was doing so, I realized that I didn't really solve your issue, so feel free to post your own answer with an explanation of what you were doing, how you troubleshot it, and what the solution was - and then accept that. If you're up for that, it might help someone in the future. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 15 Feb 2018 20:41:31 GMT elliotproebstel 2018-02-15T20:41:31Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296132#M162874 <P>Hi,</P> <P>We have some events in which two fields appname and UserID are listed. Which shows in each event that which user was trying to hit that application. UserID is a numeric field. </P> <P>Now my requirement is to get a dashboard which shows in last one hour how many users were accessing the apps . Basically count of users by application. i did like this :</P> <PRE><CODE>| stats dc(UserId) by appName </CODE></PRE> <P>I dont get any stat values in the results.</P> Thu, 15 Feb 2018 20:03:58 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296132#M162874 macadminrohit 2018-02-15T20:03:58Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296133#M162875 <P>Is it perhaps as minor as capitalization? In your text you said it was <CODE>UserID</CODE>, but in your search you used <CODE>UserId</CODE>.</P> <P>Try:</P> <PRE><CODE>| stats dc(UserID) by appName </CODE></PRE> Thu, 15 Feb 2018 20:13:13 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296133#M162875 micahkemp 2018-02-15T20:13:13Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296134#M162876 <P>I notice that your description mentions a field called <CODE>appname</CODE>, and your search query uses <CODE>appName</CODE>. Is that just a typo in your post? Splunk is case-sensitive in handling field names, so that discrepancy could be the cause.</P> <P>If not, can you share any errors you're getting? Or post a sample of the data returned by your search at the stage immediately before the stats call you posted? And last question - in your dashboard, what type of panel are you trying to use to display the data: an events table, a stats table, a single?</P> Thu, 15 Feb 2018 20:15:26 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296134#M162876 elliotproebstel 2018-02-15T20:15:26Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296135#M162877 <P>Thanks, i messed up with the JSON parsing. These are nested fields and i was trying to access them directly.</P> Thu, 15 Feb 2018 20:38:17 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296135#M162877 macadminrohit 2018-02-15T20:38:17Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296136#M162878 <P>Not sure how to convert your comment to answer. I want to accept it as the answer.</P> Thu, 15 Feb 2018 20:39:16 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296136#M162878 macadminrohit 2018-02-15T20:39:16Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296137#M162879 <P>I converted it to an answer. But as I was doing so, I realized that I didn't really solve your issue, so feel free to post your own answer with an explanation of what you were doing, how you troubleshot it, and what the solution was - and then accept that. If you're up for that, it might help someone in the future. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 15 Feb 2018 20:41:31 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296137#M162879 elliotproebstel 2018-02-15T20:41:31Z https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296138#M162880 <P>Simple fix was to access the field name through nested parsing, i was using appName instead of hdr.appName</P> Thu, 15 Feb 2018 22:45:58 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-users/m-p/296138#M162880 macadminrohit 2018-02-15T22:45:58Z