Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the average number of users per hour over a bigger timeframe?

buttsurfer
Path Finder
‎02-06-2023 11:53 PM

I have a certain amount of events (generated every 5 min) for a set of websites and their user base and their country. 

The goal is to find the number of distinct users per hour/day/month for each website per country during the last 6 months.

So at the end it will look something like this:

Over the last 6 months:

Country1 - Website1 -  12 users/hour (or day, month)

Country1 - Website2  -  2 users/hour (or day, month)

Country3 - Website1 -  10 users/hour (or day, month)

Country2 - Website3  -  8 users/hour (or day, month)

And what would be the most appropriate chart to visualize the outcome?

 

I have come up with this line but i'm not sure if it gives out what i want (the hourly average)

 

    index...
    | chart count(user) as no_users by location website span=1h
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎02-07-2023 02:20 AM

You should consider to set up a scheduled report because of the bigger timeframe.

Please try following search:

 

|index=..
| bin span=1h _time AS hour
| stats dc(user) AS user_dc by location website hour 
| stats avg(user_dc) AS avg_user_hour by location website
| eval avg_user_hour=round(avg_user_hour)

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎02-07-2023 02:20 AM

You should consider to set up a scheduled report because of the bigger timeframe.

Please try following search:

 

|index=..
| bin span=1h _time AS hour
| stats dc(user) AS user_dc by location website hour 
| stats avg(user_dc) AS avg_user_hour by location website
| eval avg_user_hour=round(avg_user_hour)

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...