Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count only events that appear more than once

rsAU
Explorer
2 weeks ago

I want to count user_ids that appear more than once per month. (ie a user that has used the product multiple times). 

I've tried a few variations such as :
search XXX | dedup XXX | stats count by user_id | where count >1

but can't seem to get it to work. Hoping to be able to display the count as a single number as well as timechart it so I can show the number over the last X months..

Any suggestions? It feels like it should've been easier than it has been!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many users have used the product multiple times?

| bin _time span=1mon
| stats count by _time user_id
| where count > 1
| timechart count span=1mon

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many users have used the product multiple times?

| bin _time span=1mon
| stats count by _time user_id
| where count > 1
| timechart count span=1mon
Reply
Solved! Jump to solution

rsAU
Explorer
2 weeks ago

Thanks heaps! I knew it was going to be something simple like that. 

Appreciate your help. Cheers

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
2 weeks ago

Hi @rsAU 

The above reply should work fine for your situation. 

if still any issues, pls update us 

1) your full search query (remove any confidential info)

2) maybe a screenshot is better 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @rsAU ,

let me understand:

you want to count the users that accessed the system more than one time, is this correct?

You can use a simple search:

<your_search>
| stats count by user_id 
| where count>1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

rsAU
Explorer
2 weeks ago

Thanks Giuseppe - that worked for the single value! I'm pretty sure I had tried it already, but I was probably trying to over-engineer it. 

Cheers

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...