Splunk Search

Time chart with events consist of unique count

New Member

i have a user login info log file like below for eg, when i prepare a time chart for last 2 days, i need the unique user logged on that particular day on a span of 1 day. there is case where x might have logged in multiple times per day, so dedup would work but that counts for entire span (2 days)..

today
x logged in
y logged in
z logged in

yesterday
x loged in
z logged in

please let me know how can this be achived?

0 Karma

Legend

Hi iamjosh007
try something like this

your_search
| timechart dc(user) AS login span=1d

Bye.
Giuseppe

0 Karma