Splunk Search
Highlighted

How to create a report that displays stats count in a table for x days?

Explorer

Sorry I am new to Splunk and wondering if can have the report that gives results in a table as below,

data as :

index=api serviceName=find userId=7878
index= api serviceName=find userId=7877
index= api serviceName=find userId=7878
index= api serviceName=person userId=7878

Result should be like :
a) table A : serviceName, count of (unique userId's)
b) Also if its possible to have the result of table A for 1 day, 7 day, 30 days

Please provide the queries also.

0 Karma
Highlighted

Re: How to create a report that displays stats count in a table for x days?

Motivator

Assuming you have fields called serviceName and userId and index is called api, try:

index=api | stats dc(userId) as "Distinct User Count" by serviceName

For B) try

index=api  earliest=-7d@d| timechart span=1d dc(userId) by serviceName useother=f

Change the value of "7" in above to yourNumber to get the results as far back as you like. -30d@d and so on. Use the visualizations or just use the statistics table. Visualization will give options of charting with line chart/bar graph to display the query B)

Added useother=f, so that there are no "other" grouping and results show up for each serviceName

0 Karma
Highlighted

Re: How to create a report that displays stats count in a table for x days?

Legend

Try this

index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe

View solution in original post

0 Karma
Highlighted

Re: How to create a report that displays stats count in a table for x days?

Explorer

Thanks sundareshr.
This gives me a quite a good result I was expecting but can you also tell if there is a way to get only the top users stats in the similar report (don't want all the users result pulled). Like if X is the top api user of today, I want to compare his stats for last to 2 days, to see if there is any spike in the same query/report.

0 Karma
Highlighted

Re: How to create a report that displays stats count in a table for x days?

Splunk Employee
Splunk Employee

@Vicky84 - Did either of the below answers help you out? If yes, please click "Accept" below the best answer to resolve your post. If no and you still need help, please leave a comment with some feedback. Thanks!

0 Karma