Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count number of users who logged in every hour for last 15 days

freephoneid
Path Finder
‎03-07-2012 04:22 PM

Hi,

My log contains entries as shown below:

[2012-03-07 23:57:49:107 GMT+00:00][12321312332432545435435543.http-8080-35][com.myabc.myactions.myAction] INFO #login# useremail=myemail@hotmail.com userid=6367 
[2012-03-06 23:57:49:107 GMT+00:00][89237658745354353.http-8080-35][com.myabc.myactions.myAction] INFO #login# useremail=someoneemail@hotmail.com userid=8472

I want to know how many users (basically userids) logged in every hour for last 15 days.
For example: between 12 to 1, 15 users logged in, between 1 to 2, 0 users logged in, etc

How can I get these numbers? Is there a way I can get this number to export it to excel?

Appreciate any help!!

Tags (3)
0 Karma
Reply

Ayn
Legend
‎03-08-2012 01:57 PM

Timechart seems to be the easiest way to solve this.

... | timechart span=1h dc(userid)
0 Karma
Reply

lguinn2
Legend
‎03-07-2012 06:03 PM

Try this

info login | stats dc(userid) by date_month date_mday date_hour

This counts how many unique userids appear in the log for each hour. However, a user is only counted in the hour that they logged in - in other words, if they logged in at 9:00 am and logged out at 5:00 pm, they are only counted in the 9:00 hour. (Assuming that this search only retrieves login events.) If a user logs in 3 times in one hour, he/she is only counted once for that hour.

Once you run the search, click the export button and choose CSV format to output your results to a csv file on your desktop.

If this isn't what you want, can you clarify what other events (like logout events, etc.) might also appear in the logs?

Reply

freephoneid
Path Finder
‎03-08-2012 02:31 PM

I tried this but its not showing any result under outputDate column. Is there anything missing in this query? the latest(_time) does not producing any result.

0 Karma
Reply

lguinn2
Legend
‎03-08-2012 01:54 PM

info login |
stats dc(userid) as userCount latest(_time) by date_month date_mday date_hour |
eval outputDate = strftime(_time, "%m/%d/%Y") |
fields + outputDate date_hour userCount

should do better - and it's shorter too!

Typo - outputDate is case-sensitive. Timechart, as Ayn points out, would be easier - I forgot that you can just show the data table from the timechart. This is what you want, not the actual graph.

0 Karma
Reply

freephoneid
Path Finder
‎03-08-2012 01:16 PM

Thanks again for quick reply. However, the outputdate is coming as march/3/null. Somehow, the year is coming null all the time & month is coming in words instead of numbers. Any clue?

0 Karma
Reply

lguinn2
Legend
‎03-08-2012 11:03 AM

info login | stats dc(userid) userCount by date_month date_mday date_hour date_year |
eval outputdate = tostring(date_month) + "/" + tostring(date_mday) + "/" +
tostring(date_year) | fields + outputDate date_hour userCount

should do it

0 Karma
Reply

freephoneid
Path Finder
‎03-08-2012 10:46 AM

Thanks for the quick reply. Is there a way to produce the date in mm/dd/yyyy format in single column itself so that when I export it to csv, it'll show up in one column as mm/dd/yyyy?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...