Solved: Activity Counts

OliverG91 · ‎10-23-2020

I am looking for a way to list the counts by customer (for example, including 0 activity) for the past hour, among all customers so far that has had activity since the start of the day.

Example: John (15), Dave (10) and Maria (8) so far for the day. Within the past hour: Dave (3).

The result I am looking for is something like this:

John (0), Dave (3), Maria (0).

I have looked at map, joins and subsearches, but nothing so far works. I need to list the 0 activity as well since they have been active for the day, just not in the last hour. Any ideas?

ITWhisperer · ‎10-23-2020

``` get hourly count by user over period of search ```
| bin span=1h _time
| stats count by user _time
``` reset counts to zero for earlier hours ```
| eval count=if(_time >= relative_time(now(),"@h"), count, 0)
``` sum counts by user ```
| stats sum(count) as count by user

View solution in original post

OliverG91 · ‎10-23-2020

It worked perfectly, @ITWhisperer . Thank you very much!

ITWhisperer · ‎10-23-2020

``` get hourly count by user over period of search ```
| bin span=1h _time
| stats count by user _time
``` reset counts to zero for earlier hours ```
| eval count=if(_time >= relative_time(now(),"@h"), count, 0)
``` sum counts by user ```
| stats sum(count) as count by user

Activity Counts

join

stats

subsearch

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!