Re: No. of users using application

Ajit · ‎03-03-2023

My log contains entries as shown below.

2023-03-03T14:14:12.718, Level=INFO, ProcessName=App-web, Thread=http-nio-80-exec-78, Code=c.m.Config, Message={"clientIp":"192.168.12.24","cost":1,"method":"GET","reqParam":{"userId":["25632"]},"resp":"{\"code\":1,\"data\":{\"list\":[{\"createDate\":1656942857926,\"groupId\":1000023,\"id\":1173,\"lastUpdate\":16569","user":"myemail@hotmail.com"}

I want to know how many users are using the application in last one hour.

Ajit · ‎03-07-2023

Thanks @yuanliu

Below query worked for me.

| eval Message = replace(_raw, ".+,\s *Message=", "")
| spath input=Message
| stats dc(user) as unique_users

yuanliu · ‎03-04-2023

First, I think your log probably look like this instead:

2023-03-03T14:14:12.718, Level=INFO, ProcessName=App-web, Thread=http-nio-80-exec-78, Code=c.m.Config, Message={"clientIp":"192.168.12.24","cost":1,"method":"GET","reqParam":{"userId":["25632"]},"resp":"{\"code\":1,\"data\":{\"list\":[{\"createDate\":1656942857926,\"groupId\":1000023,\"id\":1173,\"lastUpdate\":16569\",\"user\":\"myemail@hotmail.com\"}]}}"}

Second, you need to explain which field/node in Message represents a "user" in your question. If I have to speculate, it is either userId in reqParam or data.user in resp; I further speculate that neither field, especially userId, can have multiple values in a single transaction. So, I'll use this field.

| eval Message = replace(_raw, ".+,\s *Message=", "")
| spath input=Message
| stats dc('reqParam.userId{}') as unique_users

How to find the No. of users using application?

search job inspector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!