Solved: Re: Activity Counts

OliverG91 · ‎10-23-2020

I am looking for a way to list the counts by customer (for example, including 0 activity) for the past hour, among all customers so far that has had activity since the start of the day.

Example: John (15), Dave (10) and Maria (8) so far for the day. Within the past hour: Dave (3).

The result I am looking for is something like this:

John (0), Dave (3), Maria (0).

I have looked at map, joins and subsearches, but nothing so far works. I need to list the 0 activity as well since they have been active for the day, just not in the last hour. Any ideas?

ITWhisperer · ‎10-23-2020

``` get hourly count by user over period of search ```
| bin span=1h _time
| stats count by user _time
``` reset counts to zero for earlier hours ```
| eval count=if(_time >= relative_time(now(),"@h"), count, 0)
``` sum counts by user ```
| stats sum(count) as count by user

View solution in original post

OliverG91 · ‎10-23-2020

It worked perfectly, @ITWhisperer . Thank you very much!

ITWhisperer · ‎10-23-2020

``` get hourly count by user over period of search ```
| bin span=1h _time
| stats count by user _time
``` reset counts to zero for earlier hours ```
| eval count=if(_time >= relative_time(now(),"@h"), count, 0)
``` sum counts by user ```
| stats sum(count) as count by user

Activity Counts

join

stats

subsearch

timechart

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!