How to search the count of a single event for a us...

pparkerntx99 · ‎09-04-2014

Howdy from Dallas Tx,
I'm a new Splunk user and I'm fighting with search.
I am using a subsearch that returns a subset of data for my main search.

I'm attempting to count only one event per day and sum over a week, However my search only returns only a single user event over the whole week custom time period. I know there are multiple events over the week period for my results when I took out the "DEDUP" command.
What I'm trying to get as output is the sum of a single user's event(of multiple) per day for the week.
so output would be user\JDoe 4

index="login" sourcetype="Login"[search index="hrdata" sourcetype="HRFeed" Employee=John Doe | table SignonID ]
| dedup USERID | bucket _time span=1d | stats count as LoginCount by _time, USERID | sort USERID
_time USERID LoginCount
6/29/14 12:00:00.000 AM User\JDoe 1

pradeepkumarg · ‎09-04-2014

if you want only one event per day, then try using something like this

... | dedup USERID, date_mday | stats count as LoginCount by USERID

Running the above search for a 7 day period should give you what you are expecting

pparkerntx99 · ‎09-04-2014

Thanks that helped a lot, I had to change my bucket to week instead of day

Thanks again for your help

How to search the count of a single event for a user per day and sum over the period of a week?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!