Solved: Apply a trendline to a chart of Unique User Sessio...

JeffV

I've got to be close. But having issues trying to figure out how to get a distinct count of user sessions to show up in a bar chart with a trendline. I'd like to see a distinct count of users for last year by month and have a trendline added.

<My Search>

| stats dc(userSesnId) as moving_avg
| timechart span=30d dc(userSesnId) as count_of_user_sessions | trendline sma4(moving_avg) as "Moving Average"
| rename count_of_user_sessions AS "Disctinct Count of User Sessions"

JeffV

Ended up going with this that works pretty good.

[My Search]
| timechart span=$span$d dc(userSesnId) as count_of_user_sessions | trendline sma$sma$(count_of_user_sessions) as "Moving Average"
| rename count_of_user_sessions AS "Disctinct Count of User Sessions"

View solution in original post

kiran_panchavat

@JeffV

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

JeffV

Hi Kiran,

Thanks for the info. I did post my solution earlier today. And, I think it pretty much mirrors what you've got.
So, at least I know I am on the right wavelength.

JeffV

Ended up going with this that works pretty good.

[My Search]
| timechart span=$span$d dc(userSesnId) as count_of_user_sessions | trendline sma$sma$(count_of_user_sessions) as "Moving Average"
| rename count_of_user_sessions AS "Disctinct Count of User Sessions"

isoutamo

Hi

when you are using stats it removed all other fields. Basically you have two options to do this. You should use timechart and also trendline or streamchat with window parameter.

r. Ismo

Apply a trendline to a chart of Unique User Sessions span 30

timechart

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!