https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84826#M21624 <P>Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?</P> Wed, 27 Jun 2012 06:19:19 GMT Ayn 2012-06-27T06:19:19Z https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84825#M21623 <P>I try to count the maximum of concurrent sessions on a system where the data I have are login and logout events. I'm using eval() - something I found in another post here, incrementing a counter when someone logs in, and decrementing on a logout. Looks like this:</P> <P>eval count=if<BR /> (id="login",1,-1) | sort + _time | accum count as activeusers | timechart span=1d max(activeusers)</P> <P>This seems to work in general, but obviously the data is slightly inconsistent - I don't have 0 users at the end of the day. The errors add up over time so that the end result is rather useless.</P> <P>I know that having consistent data would be more useful, but I can't correct that at this time. So I'm looking for a way to have my counter start at zero on each day. Any idea how to do that (or solve the problem somehow completely different in a better way)?</P> Wed, 27 Jun 2012 05:43:09 GMT https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84825#M21623 bochmann 2012-06-27T05:43:09Z https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84826#M21624 <P>Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?</P> Wed, 27 Jun 2012 06:19:19 GMT https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84826#M21624 Ayn 2012-06-27T06:19:19Z https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84827#M21625 <P>For now I just need the maximum of concurrent sessions for each day (which is a metric for the licensing on the system - so I'd like to get a view on how that develops over time, and get an early warning when I might need additional licenses). <BR /> I thought that's what I would get by charting max(activeusers) in this case. A more fine resolution would be nice, but is not required.</P> Wed, 27 Jun 2012 06:47:34 GMT https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84827#M21625 bochmann 2012-06-27T06:47:34Z https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84828#M21626 <P>I think this will do it:</P> <PRE><CODE>eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers </CODE></PRE> <P>That will show you the chart day-by-day but if you just need the max out of all days, do this:</P> <PRE><CODE>eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers | stats max(activeusers) </CODE></PRE> Thu, 09 Jul 2015 16:44:39 GMT https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84828#M21626 woodcock 2015-07-09T16:44:39Z https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84829#M21627 <P>Did this work?</P> Wed, 04 Nov 2015 21:20:33 GMT https://community.splunk.com/t5/Splunk-Search/resetting-a-counter-for-each-day/m-p/84829#M21627 woodcock 2015-11-04T21:20:33Z