index="badge" | bucket _time span=30d | timechart count by _time, address | sort - count | head
What I want to do is get a chart that shows each address and the number of unique users per that address:
January February March address 1 15 18 17 address 2 51 54 71
Essentially, this will let us see how many unique users are coming into work, and whether or not people are actually present to do their jobs. Any thoughts on this?
Hi ! try this
index="badge" address=* |eval month=strftime(_time, "%m")|chart count by month,address|replace 01 with January in month|replace 02 with February in month|replace 03 with Martch in month|replace 04 with April in month|replace ............
here is one example you can use with your _internal index, sourcetype as your address. test it and let me know
index=_internal sourcetype=*| eval month=strftime(_time, "%m")|chart count by month,sourcetype|replace 01 with January in month|replace 02 with February in month|replace 03 with Martch in month|replace 04 with April in month
Alright, what I have now is the following:
index="acs_na" | timechart span=7d dc(nick) by address
This gives me the following:
address 1 address 2 address 3 address 4 null other address 5,6,7,8
I want to flip these, and do dates across the table, and have a list of the locations since we have 45 sites.
Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You've been typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks!
use table move replace timechart by stats add tables address and count
index="badge" | bucket _time span=30d | stats dc(user) by address| table user count | sort - count | head 100
index="badge" | bucket _time span=30d | timechart dc(nick) by address | sort - count | head 1000
It didn't work, so I tried the one above. Right now it's giving me the following:
site 1 site 2 site 3
date 1 535
date 2 677
date 3 424
I'm wanting to pull up unique users per address over a period of time to see how many people are actually coming to work.
So far I have index=badge, fields for nick, and address, table address date_month count