Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of users in a month who cross a threshold of usage?

MichaelCohen829
Explorer
‎05-12-2014 03:23 PM

Hello Splunk Community,

I am trying to answer this question: How many users have logged into the system on at least 4 separate days during the last 30 days?

So far I’ve generated this search:

sourcetype="LogFile" ActionType="Login” earliest=-30d@d | chart dc(StartTime) as xcount by UserId | where xcount>4 | stats count as "Users >= 4 logins"

The issue that I’m facing is that I cannot determine how to count Logins by day. My current Search simply counts number of Logins although those logins may have all occurred on the same day, but I want to find out how many have logged in on at least 4 separate days.

Our StartTime data element is in the following format: dd/mm/yy H:M:S. I can truncate the StartTime down to dd-mm-yy with the following eval statement: eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|eval StartTime=strftime(StartTime,"%d-%b-%Y"). However, I cannot figure out how get the login counts associated with unique days. i.e: I have not yet been successful in moving the truncated date into my Search.

Thank you,

Mike

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2014 03:35 PM

You can count by day like this:

sourcetype=logfile actiontype=login | eval start_epoch = strptime(StartTime, "time format goes here") | bin span=1d start_epoch | stats dc(start_epoch) as xcount by UserID | where xcount>4 | stats count as "Users >= 4 logins"

Note, if StartTime is also stored in _time then you can skip the eval and use _time instead.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2014 03:35 PM

You can count by day like this:

sourcetype=logfile actiontype=login | eval start_epoch = strptime(StartTime, "time format goes here") | bin span=1d start_epoch | stats dc(start_epoch) as xcount by UserID | where xcount>4 | stats count as "Users >= 4 logins"

Note, if StartTime is also stored in _time then you can skip the eval and use _time instead.

Reply
Solved! Jump to solution

MichaelCohen829
Explorer
‎05-12-2014 07:55 PM

Thank you Martin! This answer was very helpful

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...