Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use stats to get sum of unique ids , lists of user and Total count logged.

shalinibisht
Explorer
‎03-18-2021 11:22 PM

Hi,

My filter here is , Which shows the list of unique users with the no of times es they have logged into the system/server as success response.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by “userId” | sort  - count

The result is attached screen shot.

My requirement is to get the data for total no of distinct users count to, I can fetch it by dc or distinct_count(userId) by how can I get all three data in the same page. The list of users, the sum of users and no of times they logged in as count.list.png

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2021 12:32 AM

hi @shalinibisht,

You can use eventstats to get the total number of users.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count(userId) as "Total Number of Users"

Tip: Always use index name(s) instead of * for the index query for better performance.

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2021 12:32 AM

hi @shalinibisht,

You can use eventstats to get the total number of users.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count(userId) as "Total Number of Users"

Tip: Always use index name(s) instead of * for the index query for better performance.

If this reply helps you, an upvote/like would be appreciated.

Reply
Solved! Jump to solution

shalinibisht
Explorer
‎03-19-2021 01:22 AM

Hi @manjunathmeti,

Thanks for the resposne.

Eventstats is not working , its throwing an error argument invalid.

Yes I am using index=value(not to mention the name I made it asterik.)

Thanks

Shalini Bisht

 

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-19-2021 01:25 AM

Try this:

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count as "Total Number of Users"
0 Karma
Reply
Solved! Jump to solution

shalinibisht
Explorer
‎03-19-2021 02:15 AM

Hi @manjunathmeti 

Thanks that worked!

I could the total count for userid, can the view be chnanged as it will show value multiple timesview.png

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-19-2021 04:55 AM

you can use stats values but I would not suggest it since you have more than 1000 events.

Index=* eventName=* host IN(here is the list of the server) response.status=SUCCESSFUL | stats count by "userId" | sort  - count | eventstats count as "Total Number of Users" | stats values(*) as *

 

 If these replies help you, likes would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top