- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Monthly active users query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I've a need to have a monthly active unique users chart. The catch is that I need to present each day the total of the active users from the previous 30 days(each day will have different value).
I do have log with userId as which is enough to indicate that the user is active. The thing is that I need to supply for each day a number that represent the monthly active users calculated especially for that day (going 30 days back for each day and doing distinct count for that 30 day period).
Can you suggest a way of doing that? Example maybe?
[for example if I have 3 users that have been active:
user 1 on the 1st, and 4th
user 2 on the 2nd
user 3 on the 3rd
The graph of the next month if breakdown by day will show:
1st - 3 users
2nd - 3 users
3rd - 2 users
4th - 1 user
5th - 0 users
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution eventually was to run an index summary query every day in order to get the monthly active users for this day, and in the dashboard to visualize the indexed data in a time chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution eventually was to run an index summary query every day in order to get the monthly active users for this day, and in the dashboard to visualize the indexed data in a time chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, it's hard to give you a good answer, since you do not give any information about your logs, the system generating said logs, what statistics your boss wants, what is considered to be an active user, count or distinct count etc etc etc.
Anyway, assuming you have a log file which contains events with timestamp userid=blaha action=someaction, and this is considered to be an "active" user, and that you want the distinct number of users, i.e. if the user jdoe logs on 23 times in a single day, it still counts as one user. A possible solution could look like;
sourcetype=your_sourcetype earliest=-30d@d latest=@d| timechart span=1d dc(userid) | addcoltotals
Hope this helps you somewhat. And please remember - the more information you give, the better help you get.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Kristian.
I do have log with userId as you noted which is enough to get my user to be "active". The thing is that I need to supply for each day a number that represent the monthly active users calculated especially for that day (going 30 days back for each day and doing distinct count for that 30 day period). Currently I have no leads on how to do it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edited the answer so that the search goes through the previous 30 days, not including 'today'.
/k
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
