Splunk Search

How do modify my search to get an average count of distinct users per day?

Dallastek
Explorer

I have a search where I have total number of users and total number of events per day, but I also need to add a column showing average users per day.

Search:

mysearch | eval full_date = date_wday." ".date_month." ".date_mday | chart count dc(user) AS "Distinct User" by full_date  | rename full_date AS Date, count AS Total  | fieldformat Total=tostring(Total,"commas")  | table Date, "Distinct User", Total

So I currently have a table with Date, Distinct User Total. I just cant seem to get the average to work in this search.

0 Karma

sundareshr
Legend

Try this

 mysearch | eval full_date = date_wday." ".date_month." ".date_mday | chart count dc(user) AS "Distinct User" by full_date  | rename full_date AS Date, count AS Total  | fieldformat Total=tostring(Total,"commas")  | table Date, "Distinct User", Total | eventstats avg("Distinct User") as "Avg User" 
0 Karma

Dallastek
Explorer

That shows the exact same number as the distinct user, perhaps what I am trying to show is the average user count of the total distinct users over time. For instance if I have 1500 distinct users over 7 days, show the average user count for that time

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!