Create a splunk dashboard with following format

balascjp · ‎01-24-2020

Hello everyone

I am trying to create a splunk dashboard like below format with graphical or table structure.

Monthly status report (split down into weeks) for the number of unique user sessions and unique users.

Week 02/2020

Day unique_users unique_sessions

06.01 xx yy

07.01 xx yy

08.01 xx yy

09.01 xx yy

10.01 xx yy

11.01 xx yy

Avg. Per day

Week 03/2020

13.01

14.01

15.01

16.01

17.01

18.01

Avg. Per day

Week 04/2020

20.01

21.01

22.01

23.01

24.01

25.01

Avg. Per day

I am very new to splunk and just started learning it. please guide me

 <dashboard>
  <row>
    <panel>
      <title>Last hour</title>
      <chart>
        <title>unique-sessions</title>
        <search>
          <query>index=*xxxx* namespace=yyyyy container_name=zzzz | stats count by ctxSessionID | stats count as unique_sessions</query>
          <earliest>-24h@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">1</option>
      </chart>
    </panel>
  </row>
</dashboard>

gcusello · ‎01-24-2020

Hi @balascjp,
I haven't your data so I tried with Splunk internal data, so you can see my approach:

index=_internal
| bin _time span=10m
| stats dc(component) AS component dc(group) AS group BY _time

In other words:

at first divide the events in bins ot your time frequency,
then use stats and the function dc that gives you the count of the unique values in each bin.

For your use case, you should have something like this

index=*xxxx* namespace=yyyyy container_name=zzzz 
| bin _time span=1w
| stats dc(ctxSessionID)  AS Unique_Users BY _time

I don't know how to define Unique Session, but you can follow my approach.

Ciao.
Giuseppe

balascjp · ‎01-24-2020

Hello @gcusello

Thanks for your reply.

But I have following queries

Can you please verify the now below code is ok ?

Last 4 weeks

Unique-Sessions

index=xxxx namespace=yyyyyy* container_name=zzzzz
| eval day=strftime(_time,"%F")
| bin _time span=1w
| stats dc(ctxSessionID) AS Unique_Session, dc(day) as days BY _time
| eval Avgerage_Per_Day=Unique_Session/days
1
-4w@w
now

0
auto
collapsed
collapsed
auto
auto
auto
linear
column
all
default
none
0
0
ellipsisEnd
top
Also I am trying to find the average value of unique session for each week. But I am not sure what I am doing wrong here.

_time Unique_Session days Average_Per_Day
2020-01-12 9154 7 1307
2020-01-19 8669 6 1444

for example it started counting the day from last Sunday 2020-01-19 instead of current week Monday.

my expectation

_time Unique_Session days Average_Per_Day
2020-01-13 9154 7 1307
2020-01-20 8669 5 1733

gcusello · ‎01-24-2020

Hi @balascjp,
I cannot completely read your comment, please use Code Sample button.
Ciao.
Giuseppe

Create a splunk dashboard with following format

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

Create a splunk dashboard with following format

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...