Splunk Search

How to get total count and average count of users by file name?

prakash007
Builder

I'm trying to calculate Total count and avg(count) of users on a specific file...

I don't think it's the right way to do, any help would be appreciated. Thanks.

index=web  sourcetype=web_access  refe_domain=sample.com  file="checkout.jsp"  JSESSIONID!="-"  | dedup JSESSIONID  |stats dc(trueclientip) as TotalUsers by file | stats avg(TotalUsers)
0 Karma

somesoni2
Revered Legend

Try something like this

index=web  sourcetype=web_access  refe_domain=sample.com  file="checkout.jsp"  JSESSIONID!="-"  | dedup JSESSIONID | bucket span=1d _time |stats dc(trueclientip) as TotalUsers by _time file | eventstats avg(TotalUsers) as AvgUsers by file
0 Karma

bmacias84
Champion

You may want to look at the appendpipe command.

index=web  sourcetype=web_access  refe_domain=sample.com  file="checkout.jsp"  JSESSIONID!="-"  | dedup JSESSIONID  |stats dc(trueclientip) as TotalUsers by file | appendpipe [stats avg(TotalUsers)]

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Appendpipe

prakash007
Builder

It's giving me the same values under TotalUsers and avg(TotalUsers), not sure if i'm asking the question in a right way...

I'm looking for TotalUsers/day and also avg users..?

0 Karma

somesoni2
Revered Legend

The per day requirement is not in the question.

0 Karma

abhijitmishra87
Explorer

mcnamara - can you put down a sample event ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...