Solved: Count the number of users in more than one time bu...

user93 · ‎02-21-2019

I want to count userid that are in more than one bucket. The goal is to see how many users are returning users. I used first the transaction command, but it did not meet my needs.

base search userId!="" | bucket span=1day _time | stats dc(userId) as UniqueUsers by _time

What I really want is to evaluate the number of users that registered more than bucket span over a given periord of time.

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

View solution in original post

somesoni2 · ‎02-21-2019

Give this a try

base search userId!="" | bucket span=1day _time
| stats dc(_time) as reportedBuckets by userId
| eventstats count as totalUsers
| where reportedBuckets>1
| stats count as userReportingMultiBucket max(totalUsers) as totalUsers
| ...percent calculation goes here...

user93 · ‎02-21-2019

Thank you this worked great!

pkeenan87 · ‎02-21-2019

If you want to see the users that registered more than one bucket span over a period of time we can just reverse the fields in the stats command:

base search userId!="" | bucket span=1day _time | stats dc(_time) as UniqueBuckets by userid | sort - UniqueBuckets

user93 · ‎02-21-2019

Thank you so much for the quick answer.

Count the number of users in more than one time bucket as percent of total users

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023