Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a timechart with the average of total events/count of users per hour?

changux
Builder
‎02-25-2016 06:27 AM

Hi all.

I have a sourcetype with a lot of events. I want to prepare a timechart that present the total events per hour divided in the count of users to present the average of events per hour according to the number of users. My user field is user_id.

I tried presenting the events per hour as | timechart count by user_id span=1h and other combinations, but I don't know how can operate the timechart against the total count of users.

Any can please help me?

Regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-25-2016 06:47 AM

Not sure if I understood what you are looking for but give this a go:

yoursearch
| fields _time, user_id
| eventstats dc(user_id) as total_users
| timechart span=1h count, first(total_users) as total_users
| eval count = round(count / total_users, 2)
| fields - total_users

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎02-25-2016 10:03 AM

I think it's just 

<your search terms>
| timechart span=1h count as events dc(user_id) as users
| eval events_per_user=events/users
| fields - events users
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-25-2016 06:47 AM

Not sure if I understood what you are looking for but give this a go:

yoursearch
| fields _time, user_id
| eventstats dc(user_id) as total_users
| timechart span=1h count, first(total_users) as total_users
| eval count = round(count / total_users, 2)
| fields - total_users
Reply
Solved! Jump to solution

changux
Builder
‎02-25-2016 08:19 AM

This is exactly! Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

changux
Builder
‎02-25-2016 08:48 AM

Hello. Some way to improve to only count the quantity of users with activity in the related hour? I mean, if i have from 8am to 9am only 23 users active (not the total sum of users per day).
Thanks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎02-26-2016 01:47 AM

Hi,

As @sideview mentioned below, it should be as simple as:

yoursearch
 | fields _time, user_id
 | timechart span=1h count as events, dc(user_id) as users
 | eval events_per_user=events/users
 | fields - events users
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...