Hi @venkatasri ,

thank you this has helped! Would you also know how to do a unique count as well for instance, use this query 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | timechart count

and i want to find what users occur the most in these calls. the parameter is just "user".  e.g. user = 76757549

and the users that occur most in the search over the 3 months.

Thanks again,

Callum

Hi @Callum_f 

Hope this helps for distinct count of user by instance. Just a note 3 months is too long and timechart command can not display more than 10k values by default.

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | timechart dc(user) as unique_user_count by host

@Callum_f 

To find top 5 users you can run this, adjust limit=<number>

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | top limit=5 user 

Hi, @venkatasri 

 the event text contains this text "Lambda Request Payload -> {"user":"8573993" etc..." 

when i try the below i get nothing in the sampling, is this because it's not a searchable parameter?

as there are no results in statistics.

What I am looking for is to get the a result e.g.  "user":"8573993" = 12, showing the top 5 most frequently occurring users

sorry @venkatasri  I was wrong, i need to create a graph/list  and count of how many differnet users are showed in the results, is this possible?

@Callum_f  

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| bin span=1d _time
| stats values(user) as  user_list, dc(user) as unique_user_count by _time

can you try this works? 

@venkatasri yes it did! thank you so much

@Callum_f glad it helped!

Hi @venkatasri 

Sorry to keep asking question, I just wanted to ask if there was a way to search a field like the user field to see how much they are spending if there is a letter in front of it.

e.g. "cost" : "C1000" showing they spent $1000. 

So for example I want to search when the user spends between C1000 and C20000. 

which would be added on to this 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 

Hi @Callum_f 

Something like this  might work,

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| rex "\"cost\"\s+:\s+\"C(?<cost>\d+)"
| stats sum(cost) as total_cost by user

---

An upvote would be appreciated if this reply helps!

@Callum_f  This one for between 1000 to 20000 users

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| rex "\"cost\"\s+:\s+\"C(?<cost>\d+)"
| stats sum(cost) as total_cost by user 
| where  total_cost >= 1000 AND total_cost <= 20000

---

An upvote would be appreciated if this reply helps!

Hi @venkatasri 

unfortunately that didn't work 😞

I am not concerned with repeat users now, don't know if that changes anything.

is there a way to take off the C in the search so it just looks for the numbers in the cost parameter?

@Callum_f could be issue with regex, need complete event having cost, user in it. I would advise to open a new thread as original solution for this thread already closed. Describe what you need there and share full event..

@venkatasri Thank you so much!! you have been a massive help!!