Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count how many times users came?

splunkreal
Motivator
‎06-13-2016 09:24 AM

Data sample :

Date;User
"2016-04-01 09:31:05";"john.doe@gmail.com
"2016-04-01 09:31:06";"jessica.doe@hotmail.com
"2016-04-01 19:31:06";"jessica.doe@hotmail.com

"2016-04-02 11:31:05";"john.doe@gmail.com
"2016-04-02 12:31:06";"jessica.doe@hotmail.com

"2016-04-03 13:31:05";"john.doe@gmail.com
"2016-04-03 14:31:06";"jessica.doe@hotmail.com

"2016-04-04 15:31:05";"john.doe@gmail.com
"2016-04-04 16:31:06";"jessica.doe@hotmail.com
"2016-04-04 18:31:05";"john.doe@gmail.com

The desired output :

Nb users|01/04/2016|02/04/2016|03/04/2016|04/04/2016
1 time |1 |1 |1 |1
2 times |1 |0 |0 |1
3 times |0 |0 |0 |0

* If this helps, please upvote or accept solution if it solved *
Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-13-2016 11:46 AM

Try something like this to produce the desired output:

  base search
| eval Date = strptime(Date, "%Y-%m-%d %H:%M:%S")
| bin span=1d Date
| stats dc(User) by Date
|eval Date = strftime(Date, "%d/%m/%Y")
| chart dc(User) by count Date
| makecontinuous count
| fillnull
0 Karma
Reply

splunkreal
Motivator
‎06-14-2016 05:50 AM

Thanks, it helped me but I think I found the solution :

| eval date = strptime(date, "%Y-%m-%d %H:%M:%S")
| stats count(user) as count_users by date,user | eval date = strftime(date, "%d/%m/%Y") | appendpipe [stats sum(count_users) as times by date,user] | fields - count_users | table times,date | where (times > 0)

Output :

times date
2 01/04/2016
1 01/04/2016
1 02/04/2016
1 02/04/2016
1 03/04/2016
1 03/04/2016
1 04/04/2016
2 04/04/2016

I need to rotate the table now.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...