Splunk Search

How to search the total number of users per day?

sim_tcr
Communicator

Hello,

I have a field where the user names are recorded. I want to display a timechart with total number of users for a day.

user
------
user1
user2
user5
user6
...
...

Please help me construct the search

index="_internal" sourcetype=splunk_web_access source="/apps/splunk/var/log/splunk/web_access.log" 

Thanks,
Simon Mandy

0 Karma
1 Solution

javiergn
Super Champion

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user

View solution in original post

javiergn
Super Champion

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...