Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count users that have logged in at least once a month for the last 3 months?

sharonmok
Path Finder
‎05-22-2018 12:29 PM

Hi everyone,

I want to do a distinct count of users that have:

1) Logged in at least once a month AND
2) They've done this in the last 3 consecutive months.

So if they logged in only during one or two of the three months, it won't count them.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎05-22-2018 12:54 PM

Provided you have month field extracted from your results

.. | stats dc(month) as Month_Count values(month) by USER | where Month_Count  > 3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-22-2018 11:37 PM

@sharonmok, what are the month and user fields in your query. How do you identify Login attempt? Do you need to count only successful login or failed one as well? Can this be identified based on your data?

If you can add sample data and current query that you have tried, it will help us assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

sharonmok
Path Finder
‎05-23-2018 06:54 AM

This is what I had originally:

| dedup user_company, date_month
| stats count(user_companyname) as client_count
| eval A = (client_count /100) * 100
| table A

The last two lines were just to make it into a percentage out of the total number of users. Login attempt is just if they show up in the logs. No need to count the ones that didn't log in.

Thanks!

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎05-22-2018 10:27 PM

@sharonmok

You need to give a alias name.
Try the below query..

| stats dc(Month) as Month,list(Month) as Months,values(Month) as Monthss by User
| where Month>=3
| table User Month Months Monthss

Regards,
Shankarananth T

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎05-22-2018 12:54 PM

Provided you have month field extracted from your results

.. | stats dc(month) as Month_Count values(month) by USER | where Month_Count  > 3
0 Karma
Reply
Solved! Jump to solution

sharonmok
Path Finder
‎05-22-2018 01:04 PM

Thanks for your reply! I'm getting a 'dc' function is unsupported in 'where' command.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-23-2018 11:26 AM

That's why it is best practice to ALWAYS rename aggregate fields.

| stats dc(month) as DCmonth values(month) by USER | where DCmonth > 3

Reply
Solved! Jump to solution

sharonmok
Path Finder
‎05-23-2018 11:54 AM

Thank you! This did exactly what I wanted it to!

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎05-23-2018 03:34 PM

I agree, should always rename aggregated fields. I posted this in rush. I'll fix the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...