Stats for number of days a user was active in time...

ChuckM · ‎06-28-2024

I am trying to get a table showing the number of days a user was active in the given time period. I currently have a working search that gives me the number of total logins for each user and one that gives me the number of unique users per day. I am looking for "unique days per user".
ie. if Dave logs in 5x Monday, 3x Tuesday , 0x Wednesday, 2x Thursday, & 0x Friday I want to show 3 active days not 10 logins

richgalloway · ‎06-28-2024

Can you share the current query?

---
If this reply helps you, Karma would be appreciated.

ChuckM · ‎06-28-2024

the query is:

index=main host=[hostname] Operation="UserLogon" ApplicationId=[appid]

If I add:

| timechart span=1d dc(UserId)
I get Unique users per day

OR I can run with:

|  stats count by UserId

to get total logins per user for the period

I am looking to get "unique days per user"

richgalloway · ‎06-28-2024

See if this helps.

index=main host=[hostname] Operation="UserLogon" ApplicationId=[appid] 
| bin span=1d _time
| stats dc(_time) as numDays by UserId

---
If this reply helps you, Karma would be appreciated.

ChuckM · ‎06-28-2024

That did it, thanks for the assist.

Stats for number of days a user was active in time period

chart

count

table

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?