https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158145#M185849 <P>Go into more detail. Why do you need to use a regular expression? What are you attempting to accomplish by it?</P> Tue, 28 Apr 2015 12:54:43 GMT acharlieh 2015-04-28T12:54:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158131#M185835 <P>I have a query</P> <PRE><CODE>index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm\\]\\[\\]\\[\\]\\[\\]\\[\\]\\[\\]\\[(?P[^\\]]+" |bucket _time span=1m |stats count(user) as eventcount by _time, user </CODE></PRE> <P>From the above query i am unable to get the result</P> <P>Requirement what i need is .............looking for a user once per mintue in dashboard</P> <P>Kindly correct my Query </P> Mon, 27 Apr 2015 13:43:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158131#M185835 moiezuddin 2015-04-27T13:43:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158132#M185836 <P>Can you provide some sample events please?</P> Mon, 27 Apr 2015 14:07:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158132#M185836 MuS 2015-04-27T14:07:05Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158133#M185837 <P>At the end of your query use ,<BR /> |stats values(user) as user count(user) as eventcount by _time</P> <P>use user also after by clause i.e,<BR /> |stats values(user) as USER count(user) as eventcount by _time user|fields USER eventcount</P> <P>But i don't think that can be fruitful.<BR /> Let me know if need more assistance.</P> <P><STRONG><EM>Updated Query with span of 1min...</EM></STRONG><BR /> index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm\]\[\]\[\]\[\]\[\]\[\]\[(?P[^\]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount</P> Mon, 27 Apr 2015 15:08:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158133#M185837 neelamssantosh 2015-04-27T15:08:01Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158134#M185838 <P>this is a production application<BR /> and dedup on user does not give us accurate information <BR /> we are not looking for the most recent login <BR /> but rather ALL logins that happened<BR /><BR /> this is why we are only looking for a user once per minute. </P> Tue, 28 Apr 2015 05:46:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158134#M185838 moiezuddin 2015-04-28T05:46:45Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158135#M185839 <P>4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 147, data size is 0][]<BR /> index = casm_prod<BR /> 4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 146, data size is 0][]<BR /> index = casm_prod<BR /> 4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 224, data size is 16][sso_id=206433741]<BR /> index = casm_prod sso_id = 206433741<BR /> 4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 224, data size is 16][smuser=206433741]<BR /> index = casm_prod<BR /> 4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 224, data size is 22][georaclehrid=206433741]<BR /> index = casm_prod<BR /> 4/27/15 <BR /> 3:37:00.000 PM<BR /><BR /> [04/27/2015][12:37:57.821][992086960][s5036427/r60][Center realm][][][][][][206433741][][][][][][centerusushwswp222lprd][Send response attribute 224, dat</P> Mon, 28 Sep 2020 19:38:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158135#M185839 moiezuddin 2020-09-28T19:38:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158136#M185840 <P>Showing multiple login per minute</P> <P>can we do it only one login per minute without using dedup</P> Tue, 28 Apr 2015 06:38:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158136#M185840 moiezuddin 2015-04-28T06:38:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158137#M185841 <P>Will stats by date_minute, user help instead of using stats by _time,user?</P> Tue, 28 Apr 2015 06:55:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158137#M185841 vganjare 2015-04-28T06:55:20Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158138#M185842 <P>Good option but will not help us as we will miss the Time field.</P> Tue, 28 Apr 2015 06:58:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158138#M185842 neelamssantosh 2015-04-28T06:58:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158139#M185843 <P>Can you give me query clearly i am unable to understand</P> Tue, 28 Apr 2015 06:58:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158139#M185843 moiezuddin 2015-04-28T06:58:13Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158140#M185844 <P>try like :</P> <PRE><CODE>...|bucket _time span=1m |stats count as eventcount by _time, user </CODE></PRE> <P>or </P> <PRE><CODE>...| timechart per_minute(eval(count)) as eventcount by _time user </CODE></PRE> Tue, 28 Apr 2015 07:18:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158140#M185844 fdi01 2015-04-28T07:18:38Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158141#M185845 <P>As requirement we need to use regex the time out instead of bucket span for below query</P> <P>index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm][][][][][][(?P[^]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount. </P> <P>can you provide to me please,</P> <P>Thanks.</P> Tue, 28 Apr 2015 07:27:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158141#M185845 moiezuddin 2015-04-28T07:27:21Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158142#M185846 <P>It sounds like you want the original _time value in the results? So something like:</P> <PRE><CODE>index=casm_prod sourcetype=smtrace "Center realm" | eval minute=relative_time(_time,"@m") | stats first(_time) as _time, count as eventcount by minute, user </CODE></PRE> Tue, 28 Apr 2015 12:37:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158142#M185846 acharlieh 2015-04-28T12:37:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158143#M185847 <P>Reading other comments are you meaning to use <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/regex">regex</A> instead of <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Rex">rex</A> ?</P> Tue, 28 Apr 2015 12:42:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158143#M185847 acharlieh 2015-04-28T12:42:57Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158144#M185848 <P>In the below query we used bucket span <BR /> but the requirement say need to use regex <BR /> index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm][][][][][][(?P[^]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount</P> Tue, 28 Apr 2015 12:49:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158144#M185848 moiezuddin 2015-04-28T12:49:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158145#M185849 <P>Go into more detail. Why do you need to use a regular expression? What are you attempting to accomplish by it?</P> Tue, 28 Apr 2015 12:54:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158145#M185849 acharlieh 2015-04-28T12:54:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158146#M185850 <P>Is this an assignment of some sort?</P> Tue, 28 Apr 2015 12:56:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158146#M185850 acharlieh 2015-04-28T12:56:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158147#M185851 <P>In the index for siteminder called cams_prod, <BR /> there are traced filed with the type smtrace.<BR /><BR /> Using these trace files find the logs for the application using 'Center realm’.<BR /><BR /> Then created a regular expression to mine the user. <BR /> You will notice that user are able to be found many times each minute.<BR /><BR /> We need to fiter this so it only shows once per minute. </P> <P>Can you help in building it</P> Tue, 28 Apr 2015 12:58:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158147#M185851 moiezuddin 2015-04-28T12:58:06Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158148#M185852 <P>Can any one <STRONG>regex the time out</STRONG> for below query insted of <STRONG>bucket span</STRONG></P> <P>index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm][][][][][][(?P[^]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount</P> Tue, 28 Apr 2015 14:12:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158148#M185852 moiezuddin 2015-04-28T14:12:39Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158149#M185853 <P>we need to use <STRONG>regex the time out</STRONG> instead of <STRONG>bucket span</STRONG> for below query</P> <P>index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm][][][][][][(?P[^]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount. </P> <P>Please provide me the query</P> Tue, 28 Apr 2015 14:15:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158149#M185853 moiezuddin 2015-04-28T14:15:53Z https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158150#M185854 <P>In the below query we used bucket span <BR /> but the requirement say need to use regex the time out</P> <P>index=casm_prod sourcetype=smtrace "Center realm" | rex "(?i) Realm][][][][][][(?P[^]]+" |bucket span=5m _time|stats values(user) as USER count(user) as eventcount by _time |fields USER eventcount</P> <P>Please any help on it</P> Tue, 28 Apr 2015 14:16:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-user-once-per-minute/m-p/158150#M185854 moiezuddin 2015-04-28T14:16:50Z