Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Stats/Chart count distinct users by Country an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a query showing the amount of distinct logins by IP address based on the "term" i've created in the query.
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| chart dc(User) as usercount by IP_address,term
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats sum("Very Short") AS "Very Short", sum(Short) AS Short, sum(Long) AS Long by Country, City
After doing some cross-checking, I realized these results are counting multiple values for users if that makes sense. So if "xxx99" had three "Very Short" logins and "xxx90" had 2 "Very Short" logins, its counting it as 5 "Very Short", when in fact I need it to count as 2 (the amount of users that were categorized as Very Short at least once).
I've tried getting around this myself with this:
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| stats dc(User) AS usercount by Country City term
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| search Country=Azerbaijan
| chart sum(usercount) over Country by term
but with those results, I can't seem to get it to display the Country AND City, not just the City.
Any thoughts?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats dc(User) AS usercount by Country City term
| search Country=Azerbaijan | eval temp=Country."##".City
| chart sum(usercount) over temp by term | rex field=temp "(?<Country>.+)##(?<City>.+)" | table Country, City "Very Short", Short, Long
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats dc(User) AS usercount by Country City term
| search Country=Azerbaijan | eval temp=Country."##".City
| chart sum(usercount) over temp by term | rex field=temp "(?<Country>.+)##(?<City>.+)" | table Country, City "Very Short", Short, Long
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The temp= line is combining two fields Country and City ( your can use any name for that matter, I used temp as it's a temporary field). So this way we ran the chart with 3 field grouping (using temp). Once the data is charted, we're using rex command to separate out those combined fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay very interesting, i'm learning a lot still. Is there a way to display this with geostats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this seems to work. I changed the order of the first eval to eval term=case(term>(86400*7), "Long", term>86400 AND term<(86400*7), "Short", term<86400, "Very Short") so that if a user is identified as Long, they can't also be counted for short/very short.
I also added a dedup User after the stats dc(User) cmd line which looks to do what I've been looking for!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could I ask what exactly the eval temp= line is doing? I can't seem to find much info about that or the rex cmd how it works.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
