Sorry I am new to Splunk and wondering if can have the report that gives results in a table as below,
data as :
index=api serviceName=find userId=7878 index= api serviceName=find userId=7877 index= api serviceName=find userId=7878 index= api serviceName=person userId=7878
Result should be like :
a) table A : serviceName, count of (unique userId's)
b) Also if its possible to have the result of table A for 1 day, 7 day, 30 days
Please provide the queries also.
Assuming you have fields called serviceName and userId and index is called api, try:
index=api | stats dc(userId) as "Distinct User Count" by serviceName
For B) try
index=api earliest=-7d@d| timechart span=1d dc(userId) by serviceName useother=f
Change the value of "7" in above to yourNumber to get the results as far back as you like. -30d@d and so on. Use the visualizations or just use the statistics table. Visualization will give options of charting with line chart/bar graph to display the query B)
Added useother=f, so that there are no "other" grouping and results show up for each serviceName
index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe
This gives me a quite a good result I was expecting but can you also tell if there is a way to get only the top users stats in the similar report (don't want all the users result pulled). Like if X is the top api user of today, I want to compare his stats for last to 2 days, to see if there is any spike in the same query/report.
@Vicky84 - Did either of the below answers help you out? If yes, please click "Accept" below the best answer to resolve your post. If no and you still need help, please leave a comment with some feedback. Thanks!