All Apps and Add-ons

timechart of raw event count against per-user count

awurster
Contributor

hi folks -

i'm trying to plot a timechart with two separate values:

1 - the raw event count (a.k.a total number of "transactions") over time
2 - the value of said raw event count over time, divided by the number of unique / distinct users

i'd also like to try and get a 3rd single value which represents the average number of transactions for any given day across the whole deployment. i imagine that'd be a saved search based on the search above, which i can summarise.

the deployment consists of several cisco WSAs submitting their access log data.

** note that "users" who do not authenticate show up as user_id="-" however i've used eval to substitute the device IP (dvc_ip) wherever that hyphen occurs, for cleaner data.

eval user_id=if(user_id=="-",dvc_ip,user_id)

cheers,

andrew

0 Karma

kristian_kolb
Ultra Champion

Perhaps this can give you some insights regarding the use of timechart, eventstats, eval and addtotals. It's based on _internal data, so you can run it for yourself.

index=_internal sourcetype=splunkd earliest=-5d@d latest=@d
| timechart span=1d c by group limit=0 useother=f 
| addtotals fieldname=Daily_Total 
| eventstats avg(Daily_Total) AS Total_Avg  
| eval Total_Avg=round(Total_Avg,1) 
| eval Total_Diff = Daily_Total - Total_Avg

Hope this helps,

K

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...