Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rolling Distinct Counts

timrcase
Explorer
‎06-17-2013 02:09 PM

We have a table with the following columns:

SESSION_ID      USER_ID          CONNECT_TS
--------------  ---------------  ---------------
1               99               2013-01-01 2:23:33
2               101              2013-01-01 2:23:55
3               104              2013-01-01 2:24:41
4               101              2013-01-01 2:24:43
5               233              2013-01-01 2:25:01

We need to get a distinct count of users for each day and a distinct count of users that have used the application within 45 days of each day. Is this possible using Splunk?

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-17-2013 04:45 PM

Assuming this is already indexed in Splunk as events, and that the timestamp is parsed correctly.

your_base_search earliest=-45d@d 
| bucket span=1d _time 
| stats dc(USER_ID) by _time 
| append [search your_base_search = -45d@d 
| stats dc(USER_ID) as Total 
| fields + Total]

UPDATE:

Assuming you want the report to cover a 30-day period, you'll need to search through 75 days of data;

your_base_search earliest=-75d@d latest=@d 
| bucket span=1d _time 
| stats values(USER_ID) as dv_daily dc(USER_ID) as dc_daily by _time 
| streamstats window=45 dc(dv_daily) as dc_45d 
| fields - dv_daily 
| tail 30 
| sort _time

The last three lines are just for getting tidier results (remove the disticnt values, trim off the first 45 days from the presentation, and resort the results)

/K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-18-2013 10:18 AM

Yes that makes sense. Didn't read carefully enough. See above for solution. /k

0 Karma
Reply

timrcase
Explorer
‎06-17-2013 05:43 PM

This isn't quite what I'm looking for. It's providing a count of distinct users per day for 45 days, and a distinct user count for the entire period, but I need a count of distinct users within 45 days of each date. For example, the row for 1/1/2013 would have a count of users the app on 1/1 and a count of users that used the app in the 45 days prior (11/17/2013 to 1/1/2013). The row 1/2/2013 would have a count of users that used the app on 1/2 and a count of users that used the app in the 45 days prior (11/18/2012 to 1/2/2013), and so on. Does that make sense?

0 Karma
Reply

timrcase
Explorer
‎06-17-2013 02:48 PM

At this point I'll take anything I can get, but ideally it would be a 3 column table with Day, Daily Users, Active Users in the columns and a row for each day. I could make a single search that returns the rolling count of active users for each day work though.

0 Karma
Reply

cpeteman
Contributor
‎06-17-2013 02:25 PM

Do you want two separate searches or one row with the distinct count of users in the past day and another row with the dc of users in the last 45 days?

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...