topic Re: Getting user count in Splunk Search

Getting user count

zacksoft — Tue, 12 Jun 2018 11:24:45 GMT

Our logs contain user name and the corresponding agile-board he used.
A user might have used multiple agile-boards ; An agile-board could have been used my multiple users.
I'm trying to figure out a count to illustrate 'how many (unique)users' had accessed each agile-board.

====================================================================================
Sample Event:

20.138.409.2 514x265646x9 ZQ93123 [12/Jun/2018:06:54:08 -0400] "POST /rest/analytics/1.0/publish/bulk HTTP/1.1" 200 - 2 "https://phun.mayhem.com/secure/ActivBoard.jspa?agileBord=53322&view=planning&selectedIssue=KK-273" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 1.0.51727; .NET CLR 5.4.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; wbx 1.0.0)" "a7fxqz"

ZQ93123 is the user name and 53322 is the agileBord name.
If one user opens accesses the board, multiple events gets created with the same agile-board name and username. We ought to figure out the unique (total)count of users access per agileboard.

Re: Getting user count

FrankVl — Tue, 12 Jun 2018 11:35:58 GMT

This can be established by a simple distinct count:

...your base search to get to this data...
| rex "^\S+\s+\S+\s+(?<user>\S+)"
| rex "agileBord=(?<agileBord>[^&]+)"
| stats dc(user) by agileBord

Re: Getting user count

zacksoft — Tue, 12 Jun 2018 12:31:07 GMT

There is something wrong with my extraction. That's why | stats command work with mine.
Hence raised the question. I could use some help in extraction

Re: Getting user count

FrankVl — Tue, 12 Jun 2018 13:52:12 GMT

Updated my answer with the rex commands to extract user and agileBord fields. Let me know if that helps 🙂

Re: Getting user count

zacksoft — Tue, 12 Jun 2018 14:18:06 GMT

It does work brilliantly. Thank you.
If I may add one more thing,
Now, I see two columns, agilebord and dc(user) and the agilebord number is like 2234, 6784 etc...
Instead of that can I have some string appended to it , so that the agilebord column looks like this
https://phun.mayhem.com/secure/SuperBoard.jspa?AgileView=2234
https://phun.mayhem.com/secure/SuperBoard.jspa?AgileView=6784

Re: Getting user count

FrankVl — Tue, 12 Jun 2018 15:00:54 GMT

sure, just add the following at the end:

| eval agileBord = "https://phun.mayhem.com/secure/SuperBoard.jspa?AgileView=".agileBord