Splunk Search
Highlighted

How to edit my search to chart the count of unique users each month per address?

Path Finder
index="badge" |  bucket _time span=30d | timechart count by _time, address | sort - count | head

What I want to do is get a chart that shows each address and the number of unique users per that address:

             January  February  March
address 1       15       18       17
address 2       51       54       71

Essentially, this will let us see how many unique users are coming into work, and whether or not people are actually present to do their jobs. Any thoughts on this?

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

hi try this
index="badge" | bucket _time span=30d | timechart dc(users) by _time, address | sort - count | head 10

View solution in original post

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

index="badge" | bucket _time span=30d | timechart dc(nick) by address | sort - count | head 1000

It didn't work, so I tried the one above. Right now it's giving me the following:

          site 1     site 2     site 3 

date 1 535
date 2 677
date 3 424

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

please antifreke, explain me again your preocupation.

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

I'm wanting to pull up unique users per address over a period of time to see how many people are actually coming to work.

So far I have index=badge, fields for nick, and address, table address date_month count

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

use table move replace timechart by stats add tables address and count
like this

    index="badge" | bucket _time span=30d | stats dc(user) by address| table user count | sort - count | head 100
0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

Alright, what I have now is the following:
index="acs_na" | timechart span=7d dc(nick) by address
This gives me the following:

                     address 1          address 2            address 3    address 4   null   other  address 5,6,7,8

week 1

week 2
week 3

I want to flip these, and do dates across the table, and have a list of the locations since we have 45 sites.

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Community Manager
Community Manager

Hi @antifreke

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You've been typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks!

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Builder

Hi,
Do you have a field named users?

0 Karma
Highlighted

Re: How to edit my search to chart the count of unique users each month per address?

Path Finder

I have a field named nick, yes

0 Karma