How to get a daily count of distinct users over a large time range without re-running from beginning of time

e_sherlock — Wed, 13 Mar 2013 17:23:52 GMT

I have a simple "| stats dc()" command to get a cumulative sum of distinct users; however, I don't want to have to run this query from the beginning of time every day it runs for performance reasons.

These couple routes came to mind, but don't seem best...

Summary indexes can write out the distinct users per day, but seems like couldn't compute distinct over the whole set of days.
Write the distinct values to lookup and only adding the new values each day -- a kinda hacky incremental approach.

Any ideas on the optimal solution?

Re: How to get a daily count of distinct users over a large time range without re-running from beginning of time

gkanapathy — Mon, 28 Sep 2020 13:30:32 GMT

The best way would be to use sistats and a summary, or alternatively, use report acceleration. With report acceleration, just set up your search and tell Splunk to accelerate, and that should do it.

If you summarize yourself, then on a daily basis (and you can backfill later), you run a;

... | sistats dc(user) by x,y,z

and store that to a summary. Then to get your counts:

index=my_summary_index name=my_summary_job | stats dc(user)

(or ... | stats dc(user) by x,y,z or ... | stats dc(user) by x,y).

the sistats command will have saved the right data, and the stats command will know how to handle what sistats did. Yes, it is doing slightly clever things under the hood.

topic Re: How to get a daily count of distinct users over a large time range without re-running from beginning of time in Splunk Search

How to get a daily count of distinct users over a large time range without re-running from beginning of time

Re: How to get a daily count of distinct users over a large time range without re-running from beginning of time