Reporting

Report monthly stats, binning by if an event occured once or more then once a month

dominiquevocat
Motivator

How would i report for a year if on a montly basis user x logged in once or more then once.

the table shall look like this:

                     singe login                multiple logins
January                   5                               1
February                  20                              9
...

So far i rather clumsily build up an aproximate result like this:

| stats count(CN) by date_month,CN 
| rename count(CN) AS freq 
| eval frequency=if(freq>1,"multiple logins","single login") 
| stats count(CN) by frequency,date_month
Tags (2)
0 Karma
1 Solution

acharlieh
Influencer

You're actually really close. You want to use a chart command last to turn your results into the table you want.

| stats count as freq by date_month,CN
| eval frequency=if(...)
| chart count over date_month by frequency

View solution in original post

acharlieh
Influencer

You're actually really close. You want to use a chart command last to turn your results into the table you want.

| stats count as freq by date_month,CN
| eval frequency=if(...)
| chart count over date_month by frequency

acharlieh
Influencer

I could have the over and by clause reversed, (being on an iPad in the airport this is a bit off the top of my head) the contents of the if function are the same as yours, also I used an as clause to get rid of the rename clause.

0 Karma

dominiquevocat
Motivator

Thanks. Simple as that huh? Oh well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...