Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rolling Distinct Counts

timrcase
Explorer
‎06-17-2013 02:09 PM

We have a table with the following columns:

SESSION_ID      USER_ID          CONNECT_TS
--------------  ---------------  ---------------
1               99               2013-01-01 2:23:33
2               101              2013-01-01 2:23:55
3               104              2013-01-01 2:24:41
4               101              2013-01-01 2:24:43
5               233              2013-01-01 2:25:01

We need to get a distinct count of users for each day and a distinct count of users that have used the application within 45 days of each day. Is this possible using Splunk?

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-17-2013 04:45 PM

Assuming this is already indexed in Splunk as events, and that the timestamp is parsed correctly.

your_base_search earliest=-45d@d 
| bucket span=1d _time 
| stats dc(USER_ID) by _time 
| append [search your_base_search = -45d@d 
| stats dc(USER_ID) as Total 
| fields + Total]

UPDATE:

Assuming you want the report to cover a 30-day period, you'll need to search through 75 days of data;

your_base_search earliest=-75d@d latest=@d 
| bucket span=1d _time 
| stats values(USER_ID) as dv_daily dc(USER_ID) as dc_daily by _time 
| streamstats window=45 dc(dv_daily) as dc_45d 
| fields - dv_daily 
| tail 30 
| sort _time

The last three lines are just for getting tidier results (remove the disticnt values, trim off the first 45 days from the presentation, and resort the results)

/K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-18-2013 10:18 AM

Yes that makes sense. Didn't read carefully enough. See above for solution. /k

0 Karma
Reply

timrcase
Explorer
‎06-17-2013 05:43 PM

This isn't quite what I'm looking for. It's providing a count of distinct users per day for 45 days, and a distinct user count for the entire period, but I need a count of distinct users within 45 days of each date. For example, the row for 1/1/2013 would have a count of users the app on 1/1 and a count of users that used the app in the 45 days prior (11/17/2013 to 1/1/2013). The row 1/2/2013 would have a count of users that used the app on 1/2 and a count of users that used the app in the 45 days prior (11/18/2012 to 1/2/2013), and so on. Does that make sense?

0 Karma
Reply

timrcase
Explorer
‎06-17-2013 02:48 PM

At this point I'll take anything I can get, but ideally it would be a 3 column table with Day, Daily Users, Active Users in the columns and a row for each day. I could make a single search that returns the rolling count of active users for each day work though.

0 Karma
Reply

cpeteman
Contributor
‎06-17-2013 02:25 PM

Do you want two separate searches or one row with the distinct count of users in the past day and another row with the dc of users in the last 45 days?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...