So I am looking for the number of a specific event (sign-ins) deduped by a user, which is simple. The challenge I am having is that I need the results deduped by date. So if i am looking at a weeks worth of data I would like to see how many sign ins happened each day deduped by user. So, each user would only appear once each day but could appear multiple times over the course of the week depending.
Does this make sense? Please let me know if I can clarify anything and thanks in advance for any/all help.
Try like this
Your current search with field User and _time
| timechart span=1d dc(User) as UserLogins
@somesoni2 & @gcusello Thanks! This is exactly what I needed.
Try like this
Your current search with field User and _time
| timechart span=1d dc(User) as UserLogins
Hi @HWalk1,
did you tried timestamp command?
so if you want to group the login events on a windows system by user anbd by day, you could try something like this:
index=wineventlog EvenCode=4624
| timechart span=1d count BY user
Ciao.
Giuseppe