https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658368#M227425 <P>When you say&nbsp;<STRONG>per day</STRONG> and&nbsp;<STRONG>per week</STRONG> do you mean you want unique user count in a week as long as a person logged in once in that week, or do you want to show a daily unique user count AND a weekly unique user count?</P><P>Building on&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;comments, to get count of users per day then it's</P><LI-CODE lang="markup">&lt;some other selectors&gt; event=login status=success earliest=-1mon | timechart span=1w@w dc(user) as users</LI-CODE><P>will give you a weekly unique count from Sun-&gt;Sat</P><P>If you want to get unique by day as well as by week, then do the daily dc() count and save the values and then after bin by week and add in the dc() count for the week</P><LI-CODE lang="markup">| timechart span=1d dc(user) as users values(user) as tmp_users | eval t=_time | bin t span=1w@w | eventstats dc(tmp_users) as weekly_users by t | fields - tmp_users t</LI-CODE><P>&nbsp;</P> Fri, 22 Sep 2023 02:08:36 GMT bowesmana 2023-09-22T02:08:36Z https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658347#M227411 <P>I would like to get the number of people connected (one successful login session per user per day will suffice) to our network over a month period using earliest and now() attributes. The figures should be presented per week like a chart</P> Thu, 21 Sep 2023 20:23:34 GMT https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658347#M227411 DanAlexander 2023-09-21T20:23:34Z https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658359#M227419 <P>You have to tell volunteers how your data looks like. &nbsp;Forget Splunk. &nbsp;How do you tell there is a new login, how do you tell a new login is successful from your data?</P><P>Suppose your data have three fields, user, event, and status, where event "login" signifies a new login, and status "success" signifies success. &nbsp;A generic way to do this would be</P><LI-CODE lang="markup">&lt;some other selectors&gt; event=login status=success earliest=-1mon | timechart span=1d count by user</LI-CODE><P>&nbsp;</P> Thu, 21 Sep 2023 23:38:12 GMT https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658359#M227419 yuanliu 2023-09-21T23:38:12Z https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658368#M227425 <P>When you say&nbsp;<STRONG>per day</STRONG> and&nbsp;<STRONG>per week</STRONG> do you mean you want unique user count in a week as long as a person logged in once in that week, or do you want to show a daily unique user count AND a weekly unique user count?</P><P>Building on&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;comments, to get count of users per day then it's</P><LI-CODE lang="markup">&lt;some other selectors&gt; event=login status=success earliest=-1mon | timechart span=1w@w dc(user) as users</LI-CODE><P>will give you a weekly unique count from Sun-&gt;Sat</P><P>If you want to get unique by day as well as by week, then do the daily dc() count and save the values and then after bin by week and add in the dc() count for the week</P><LI-CODE lang="markup">| timechart span=1d dc(user) as users values(user) as tmp_users | eval t=_time | bin t span=1w@w | eventstats dc(tmp_users) as weekly_users by t | fields - tmp_users t</LI-CODE><P>&nbsp;</P> Fri, 22 Sep 2023 02:08:36 GMT https://community.splunk.com/t5/Splunk-Search/Count-users-successful-logins-over-time/m-p/658368#M227425 bowesmana 2023-09-22T02:08:36Z