I couldn't exactly figure out how to phrase my question..
I'm working with data of users logging into a service from different places all around the world. What I'm trying to do is categorize and display the logins as very short term (all accesses w/in 24 hours), short term (all accesses w/in 7 days), and long term or repeat visitor (accesses over a more than 7 day period).
I'm new to Splunk so my starting point is
| stats dc(User) as usercount count by IP_address
| sort 0 -count
| head 100
| iplocation IP_address
| table Country Region City usercount count
| where isnotnull( City )
Any help or guidance would be appreciated!
See if this gives you any ideas...
... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |
See if this gives you any ideas...
... | stats earliest(_time) as first_login latest(_time) as last_login by IP_Address user | eval term=last_login-first_login | eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long") | stats count dc(user) as usercount values(term) as term by IP_Address | iplocation IP_Address |
Thanks for the quick response -- I tried that code and got an "Error in 'stats command: The argument 'login' is invalid."
There's first_login and last_login, there's not login. Can you post your search
I was able to get it to run but there was no results found under Statistics so I'm not sure what went wrong.
Edit: I had to change the capitalization for some of the variables but i'm getting results now!
Great! Please accept the answer to close it out.