Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart: Unique User of the Last 7 Days
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to create a (time-)chart, that always counts the unique users of the last 7 Days.
For Instance the table should look like this:
07.01.2013 - 1500
08.01.2013 - 2000
09.01.2013 - 2500
The first number means, that there have been 1500 unique users during 01.01.2013 - 07.01.2013.
The second number means, that there have been 2000 unique users during 02.01.2013 - 08.01.2013.
The third number means, that there have been 2500 unique users during 03.01.2013 - 09.01.2013.
It would be great, if somebody could tell me how to do this.
Thanks in advance
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes;
sourcetype="blah"
| timechart span=1d values(userid) as distinct_users
| streamstats window=7 values(distinct_users) as weekly_users, dc(distinct_users) as weekly_count
Substitute 'userid' with 'clientip' or whatever you have. When you're sure the search is doing what you want, you can remove the values(distinct_users) as weekly_users part of the streamstats command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kristian,
I checked it again and obviously I made a mistake yesterday. Everthing seems to work fine, even for weeks (window=7) and 30 days (window=30).
Thanks again!
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
thanks a lot for your answers. Kristian, I tried out your search and this seems to work fine for the "Last Seven Days". I checked this back for some days in the timechart.
I expected, that a change to "window=30" will calculate the dc of users of the last 30 days. But there are differences, when i check back the results of the timechart. Do you have an idea why this happens?
Best
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes;
sourcetype="blah"
| timechart span=1d values(userid) as distinct_users
| streamstats window=7 values(distinct_users) as weekly_users, dc(distinct_users) as weekly_count
Substitute 'userid' with 'clientip' or whatever you have. When you're sure the search is doing what you want, you can remove the values(distinct_users) as weekly_users part of the streamstats command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you might want to add an extra line at the end as well;
| fields - distinct_users
to get just the two fields you specified in the output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion would be to create a summary index search which will run daily and store the no of unique users for past 7 days into the summary index. Once this is scheduled and running, you can create your search out of that summary index.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
