Splunk Search

How to search the count of all users that have had a specific status for at least X days?

Engager

Hi together,

Hope you can help me.

I have the following - every day I'll receive user data, and I want to count all users with a specific Status. Then I want to count the status over the last 30 days to see if some users do have the status for at least 30 days long:

Time=Last 30 days

sourcetype=XYZ | search userstatus="Transition" | stats count by user

Now I can put this in a table:

|table user, count

Example:

user1 | 30
user2 | 30
user3 | 30
user4 | 29
user5 | 1

But what I want to have is a single value. For this example, the result should be: 3 --> because 3 users do have the status for at least 30 days long.

Can someone help me - I think this is really easy, but I do have knot in my head now 😄

thanks, br, Lisi

0 Karma

Legend

You can filter is using the where clause. Like this

sourcetype=XYZ userstatus="Transition" | stats count by user | where count>=30 
0 Karma

Engager

thanks so much! was really easy 😄

0 Karma