https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-that-will-identify-student-IDs-that-visit/m-p/222041#M65282 <P>Following will give you count of various pages accessed for the list of all users. Lower count implies rarely accessed.</P> <PRE><CODE>your base search | chart count over user_id by page | rename count as page_accessed </CODE></PRE> <P>Similarly, you can also reverser user_id and page field as per your need, which will give you a list of all pages and users count for those who accessed the same.</P> <PRE><CODE>your base search | chart count over page by user_id | rename count as page_accessed </CODE></PRE> <P>While above is statistical function to get data for user logins. What you really want is to detect outliers in user access. Refer to <STRONG>Splunk Machine Learning Toolkit app</STRONG> which has Showcase example to <STRONG>"Detect Outliers in Number of Logins (vs. Predicted Value)"</STRONG></P> Mon, 07 Nov 2016 18:22:03 GMT niketn 2016-11-07T18:22:03Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-that-will-identify-student-IDs-that-visit/m-p/222040#M65281 <P>Hi I have a Splunk search as below :</P> <PRE><CODE>My Search| where date_hour&gt;=19 OR date_hour&lt;7| bin span=1h _time | convert ctime(_time) as Date_and_Time | stats values(page) as page_accessed by user_id| sort-count | head 5 |rename user_id AS Student_id | </CODE></PRE> <P>Which displays the result as follows :</P> <PRE><CODE>Student_id page_accessed A1234 HomePage SemesterReport B5678 HomePage Course_Structure Syllabus A5678 Attendance HomePage B1234 CourseStructure </CODE></PRE> <P>So, now I want to display only the Student_id's who are visiting pages outside of what they regularly access, is it possible to identify that in Splunk? </P> <P>For example, consider Student id "A1234": Daily he used to access the HomePage, SemesterReport but yesterday he is accessing the CourseStructure Page. I want to see his student-id and what he visited other than what he regularly visited as next the panel.</P> Mon, 07 Nov 2016 16:51:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-that-will-identify-student-IDs-that-visit/m-p/222040#M65281 pavanae 2016-11-07T16:51:18Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-that-will-identify-student-IDs-that-visit/m-p/222041#M65282 <P>Following will give you count of various pages accessed for the list of all users. Lower count implies rarely accessed.</P> <PRE><CODE>your base search | chart count over user_id by page | rename count as page_accessed </CODE></PRE> <P>Similarly, you can also reverser user_id and page field as per your need, which will give you a list of all pages and users count for those who accessed the same.</P> <PRE><CODE>your base search | chart count over page by user_id | rename count as page_accessed </CODE></PRE> <P>While above is statistical function to get data for user logins. What you really want is to detect outliers in user access. Refer to <STRONG>Splunk Machine Learning Toolkit app</STRONG> which has Showcase example to <STRONG>"Detect Outliers in Number of Logins (vs. Predicted Value)"</STRONG></P> Mon, 07 Nov 2016 18:22:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-that-will-identify-student-IDs-that-visit/m-p/222041#M65282 niketn 2016-11-07T18:22:03Z