Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do modify my search to get an average count of distinct users per day?

Dallastek
Explorer
‎10-04-2016 02:18 PM

I have a search where I have total number of users and total number of events per day, but I also need to add a column showing average users per day.

Search:

mysearch | eval full_date = date_wday." ".date_month." ".date_mday | chart count dc(user) AS "Distinct User" by full_date  | rename full_date AS Date, count AS Total  | fieldformat Total=tostring(Total,"commas")  | table Date, "Distinct User", Total

So I currently have a table with Date, Distinct User Total. I just cant seem to get the average to work in this search.

0 Karma
Reply

sundareshr
Legend
‎10-04-2016 04:06 PM

Try this

 mysearch | eval full_date = date_wday." ".date_month." ".date_mday | chart count dc(user) AS "Distinct User" by full_date  | rename full_date AS Date, count AS Total  | fieldformat Total=tostring(Total,"commas")  | table Date, "Distinct User", Total | eventstats avg("Distinct User") as "Avg User"
0 Karma
Reply

Dallastek
Explorer
‎10-05-2016 08:48 AM

That shows the exact same number as the distinct user, perhaps what I am trying to show is the average user count of the total distinct users over time. For instance if I have 1500 distinct users over 7 days, show the average user count for that time

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...