Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count items satisfying a condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a event created each time a user does an action in my system (e.g. login, open_page, close_page).
I need to do statistics based on the user regularity: a regular user logins more than 5 times or more over a period, the others are occasional.
I use the query:
... event=login| stats count by user
which returns the following :
User A: 10
User B: 7
User C: 3
User 😧 5
I am trying to obtain the following:
- Number of regular users (login >=5 times)
- Number of open_page events done by regular users
- Proportion of close_page per user type (regular vs occasional)
Thanks for the help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
Number of regular users (login >=5 times)
... event=login| stats count by user | where count>=5 | stats count as "Number of regular users"
Number of open_page events done by regular users
To list regular users with corresponding open_page events
... event=login OR event=open_page | chart count by user event | where login>=5
To list total count of oepn_page events by regular users
... event=login OR event=open_page | chart count by user event | where login>=5 | stats sum(open_page) as "Total open_page events by regular users"
Proportion of close_page per user type (regular vs occasional)
... event=login OR event=close_page | chart count by user event | eval user_type=if(count>=5, "regular", "occasional") | eval temp=1 | chart sum(close_page) over temp by user_type | eval "Close_page Ratio(regular/occational)"=regular/occasional
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
Number of regular users (login >=5 times)
... event=login| stats count by user | where count>=5 | stats count as "Number of regular users"
Number of open_page events done by regular users
To list regular users with corresponding open_page events
... event=login OR event=open_page | chart count by user event | where login>=5
To list total count of oepn_page events by regular users
... event=login OR event=open_page | chart count by user event | where login>=5 | stats sum(open_page) as "Total open_page events by regular users"
Proportion of close_page per user type (regular vs occasional)
... event=login OR event=close_page | chart count by user event | eval user_type=if(count>=5, "regular", "occasional") | eval temp=1 | chart sum(close_page) over temp by user_type | eval "Close_page Ratio(regular/occational)"=regular/occasional
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this:
... event="login" OR event="open_page" OR event="close_page"
| stats count(eval(event="login")) AS login_count
count(eval(event="open_page")) AS open_page_count
count(eval(event="close_page")) AS close_page_count BY user
| eval user_type=if(login_count>=5, "regular", "occasional")
That should give you a table with the necessary stats and categorizations to calculate all three!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
