Solved: Count the number of users in more than one time bu...

user93 · ‎02-21-2019

I want to count userid that are in more than one bucket. The goal is to see how many users are returning users. I used first the transaction command, but it did not meet my needs.

base search userId!="" | bucket span=1day _time | stats dc(userId) as UniqueUsers by _time

What I really want is to evaluate the number of users that registered more than bucket span over a given periord of time.

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

View solution in original post

somesoni2 · ‎02-21-2019

Give this a try

base search userId!="" | bucket span=1day _time
| stats dc(_time) as reportedBuckets by userId
| eventstats count as totalUsers
| where reportedBuckets>1
| stats count as userReportingMultiBucket max(totalUsers) as totalUsers
| ...percent calculation goes here...

user93 · ‎02-21-2019

Thank you this worked great!

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

user93 · ‎02-21-2019

Thank you so much for the quick answer.

Count the number of users in more than one time bucket as percent of total users

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform