Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Number of distinct days an event occurs on, within the last month

fuzzy_rocks
Explorer
‎09-24-2013 06:26 PM

I would like to chart a count of how many distinct days users logged into our system within the past 7 days. When I try to count days, I keep getting 0. Assuming I have seen a total of 200 unique users, output would be something like 100 users seen 7 unique days, 90 users seen 6 unique days, and 10 users seen on 4 unique days.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Narj
Path Finder
‎09-25-2013 03:47 AM

Not sure if I have the wrong end of the stick, but it's quite easy to get individual day count for events like this:

[host or other filter] AND [event-string] | dedup 1 host date_mday | stats count by host

That's obviously by host but you can change to your username extracted field to do a similar sort of thing...

This seems to work for cisco on my system... how many distinct days users made config changes..

"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count by cisco_configuredby

Not sure I can help with the chart though. 🙂

EDIT:

"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count AS days by cisco_configuredby | stats count by days

days count
1 17
2 11
3 5
5 2

View solution in original post

Reply
Solved! Jump to solution
Solution

Narj
Path Finder
‎09-25-2013 03:47 AM

Not sure if I have the wrong end of the stick, but it's quite easy to get individual day count for events like this:

[host or other filter] AND [event-string] | dedup 1 host date_mday | stats count by host

That's obviously by host but you can change to your username extracted field to do a similar sort of thing...

This seems to work for cisco on my system... how many distinct days users made config changes..

"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count by cisco_configuredby

Not sure I can help with the chart though. 🙂

EDIT:

"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count AS days by cisco_configuredby | stats count by days

days count
1 17
2 11
3 5
5 2

Reply
Solved! Jump to solution

fuzzy_rocks
Explorer
‎09-26-2013 09:36 AM

Thanks! I got it done with

....| stats dc(date_mday) AS UserDaysCount by UserID | chart count(UserDaysCount) by UserDaysCount

which works for less than one month. Not sure why I was getting zero answer at the start, must've had some typo.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...