Solved: Re: How to filter my search to only count the user...

pm771 · ‎09-09-2016

We have a listing of travelers. Every event has the following two fields: USER and LOCATION.

I need a search that will calculate how many frequent travelers visited each location. By definition, frequent traveler is a user that traveled in a given time period at least n times.

If I wanted just a grand total of such users, then I would've written it as:

index=... sourcetype=... | stats count as num by USER | where num > n | stats count as Total

How do I restore an association between selected users and their respective locations?

It sounds like a job for eventstats but I could not come up with a working search.

sundareshr · ‎09-09-2016

See if this gets you what you need

 index=... sourcetype=... | eventstats count as num by USER | where num > n | stats dc(USER) as FT by LOCATION

View solution in original post

sundareshr · ‎09-09-2016

See if this gets you what you need

 index=... sourcetype=... | eventstats count as num by USER | where num > n | stats dc(USER) as FT by LOCATION

pm771 · ‎09-09-2016

Actually my requirements were: how many times frequent travelers visited each location, so I dd not need distinct count.

How to filter my search to only count the users that visited each location at least N number of times?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms