I want to count user_ids that appear more than once per month. (ie a user that has used the product multiple times).
I've tried a few variations such as :
search XXX | dedup XXX | stats count by user_id | where count >1
but can't seem to get it to work. Hoping to be able to display the count as a single number as well as timechart it so I can show the number over the last X months..
Any suggestions? It feels like it should've been easier than it has been!
It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many users have used the product multiple times?
| bin _time span=1mon
| stats count by _time user_id
| where count > 1
| timechart count span=1mon
It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many users have used the product multiple times?
| bin _time span=1mon
| stats count by _time user_id
| where count > 1
| timechart count span=1mon
Thanks heaps! I knew it was going to be something simple like that.
Appreciate your help. Cheers
Hi @rsAU
The above reply should work fine for your situation.
if still any issues, pls update us
1) your full search query (remove any confidential info)
2) maybe a screenshot is better
Hi @rsAU ,
let me understand:
you want to count the users that accessed the system more than one time, is this correct?
You can use a simple search:
<your_search>
| stats count by user_id
| where count>1
Ciao.
Giuseppe
Thanks Giuseppe - that worked for the single value! I'm pretty sure I had tried it already, but I was probably trying to over-engineer it.
Cheers