Solved: Timechart and Order of Operations

mistydennis · ‎04-06-2020

I am struggling with the order of operations in my timechart query. I need to show the number of Users who accessed a system daily over a 7 day period. My query shows the correct numbers for 1 day, but when I extend the timepicker to 7 days the numbers are incorrect. I've tried using dedup to get the distinct number of users, but this causes a problem when I extend the timepicker (it then dedupes users across 7 days instead of per day). Help.

index=foo sourcetype="bar" realm="keywords" | stats dc(User) by _time, status | timechart span=1d count by status

mistydennis · ‎04-06-2020

Finally figured it out. The correct timechart command was:
index=foo sourcetype="bar" realm="keywords" | timechart span=1d distinct_count(User) by status

View solution in original post

mistydennis · ‎04-06-2020

Finally figured it out. The correct timechart command was:
index=foo sourcetype="bar" realm="keywords" | timechart span=1d distinct_count(User) by status

richgalloway · ‎04-06-2020

How are the 7-day numbers incorrect?
Have you tried ignoring status? Status shouldn't matter when you only care about user count.

---
If this reply helps you, Karma would be appreciated.

mistydennis · ‎04-06-2020

So, for example, if I look at April 2 only I get 100 users (correct). If I extend the time picker to April 1 - 2, the numbers are April 1: 25 users (should be 50), April 2: 30 users (should be 100). I need status because I need the split-by count.

Timechart and Order of Operations

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor