Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Monthly Occupancy Report with Daily Events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I am trying to generate a Monthly Occupancy Report of users with Daily events.
The issue is the Daily events consists of Multiple entries of a user, so I have to use "dedup user" command to get single entries every day
As running dedup command on Monthly report will give single entry of a user in a month, I am extracting reports per day and then consolidate it to get a monthly report which is time consuming.
Looking for suggestions/commands which will help to run a monthly report with Single event of a user (per day).
| lookup AD-lookup sAMAccountName as user output displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department
| eval Date=strftime(_time, "%d-%m-%Y"), Time=strftime(_time, "%H:%M") | table Date,Time, user, displayName, title, department, host, Address, Subnet, Site, mail, mobile
| dedup user
| sort 0 -Date,-Time |
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really, you don't have to go to all that trouble.
dedup is a little more flexible than you are thinking.
your search that gets one or more records for each user per day for the whole month
| table _time User
| bin _time span=1d as Day
| dedup User Day
The above gets you one record per User per Day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really, you don't have to go to all that trouble.
dedup is a little more flexible than you are thinking.
your search that gets one or more records for each user per day for the whole month
| table _time User
| bin _time span=1d as Day
| dedup User Day
The above gets you one record per User per Day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, it worked
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
