Solved: Re: Better search string than this to count top lo...

bowesmana · ‎12-09-2013

My data consists of login events to a system. Each user belongs to a Company, of which there are 12 companies represented. The event date is the login time.

Fields are

Company - Company code
Co_Name - Company name
Name - User's name

I want a report to show :

For each company, the users with the most logged in days, i.e. only one login counts per day, during a given period.

I can achieve the top user per company like this

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | sort Co_Name, -Count | dedup Co_Name

but if there is a company with more than one user with the same number of logged in days, I will only get one, whereas I want all the users for that company with that max login count.

I tried this one

sourcetype=logins* | top showperc=false 1 Name, Company by Co_Name

but that does not take account of more than one login per day, which should only count 1.

I feel there would be a more correct way to achieve this other than my search string above...

martin_mueller · ‎12-09-2013

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

View solution in original post

martin_mueller · ‎12-09-2013

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

bowesmana · ‎12-09-2013

Perfect - thanks a lot martin!

Better search string than this to count top logins by Company by date

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...