Solved: Re: Count the number of users in more than one tim...

user93 · ‎02-21-2019

I want to count userid that are in more than one bucket. The goal is to see how many users are returning users. I used first the transaction command, but it did not meet my needs.

base search userId!="" | bucket span=1day _time | stats dc(userId) as UniqueUsers by _time

What I really want is to evaluate the number of users that registered more than bucket span over a given periord of time.

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

View solution in original post

somesoni2 · ‎02-21-2019

Give this a try

base search userId!="" | bucket span=1day _time
| stats dc(_time) as reportedBuckets by userId
| eventstats count as totalUsers
| where reportedBuckets>1
| stats count as userReportingMultiBucket max(totalUsers) as totalUsers
| ...percent calculation goes here...

user93 · ‎02-21-2019

Thank you this worked great!

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

user93 · ‎02-21-2019

Thank you so much for the quick answer.

Count the number of users in more than one time bucket as percent of total users

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann