I couldn't exactly figure out how to phrase my question..
I'm working with data of users logging into a service from different places all around the world. What I'm trying to do is categorize and display the logins as very short term (all accesses w/in 24 hours), short term (all accesses w/in 7 days), and long term or repeat visitor (accesses over a more than 7 day period).
I'm new to Splunk so my starting point is
| stats dc(User) as usercount count by IP_address | sort 0 -count | head 100 | iplocation IP_address | table Country Region City usercount count | where isnotnull( City )
Any help or guidance would be appreciated!
See if this gives you any ideas...
... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |
Thanks for the quick response -- I tried that code and got an "Error in 'stats command: The argument 'login' is invalid."
I was able to get it to run but there was no results found under Statistics so I'm not sure what went wrong.
Edit: I had to change the capitalization for some of the variables but i'm getting results now!