Solved: Better search string than this to count top logins...

bowesmana · ‎12-09-2013

My data consists of login events to a system. Each user belongs to a Company, of which there are 12 companies represented. The event date is the login time.

Fields are

Company - Company code
Co_Name - Company name
Name - User's name

I want a report to show :

For each company, the users with the most logged in days, i.e. only one login counts per day, during a given period.

I can achieve the top user per company like this

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | sort Co_Name, -Count | dedup Co_Name

but if there is a company with more than one user with the same number of logged in days, I will only get one, whereas I want all the users for that company with that max login count.

I tried this one

sourcetype=logins* | top showperc=false 1 Name, Company by Co_Name

but that does not take account of more than one login per day, which should only count 1.

I feel there would be a more correct way to achieve this other than my search string above...

martin_mueller · ‎12-09-2013

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

View solution in original post

martin_mueller · ‎12-09-2013

How about this, starting with your initial search:

sourcetype=logins* | stats dc(Date) as Count by Name, Co_Name | eventstats max(Count) as maxCount by Co_Name | where Count=maxCount

That should keep multiple equal "leaders" per company.

bowesmana · ‎12-09-2013

Perfect - thanks a lot martin!

Better search string than this to count top logins by Company by date

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update