Splunk Search

search that captures sum of users by url

Splunk Employee
Splunk Employee

I need to add something to the following string (or rewrite it) that captures users sum by url by date. Any help would be appreciated.

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST"| stats count by user, dest_url

Thank you!

1 Solution

SplunkTrust
SplunkTrust

sounds like

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST" | timechart span=1d dc(user) by dest_url

run that over a week's worth of data and it'll give you 7 rows where each row is a particular day, each column across the top is a particular dest_url and the numbers in the cells are the distinct count of 'user' for that day and that dest_url

View solution in original post

SplunkTrust
SplunkTrust

sounds like

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST" | timechart span=1d dc(user) by dest_url

run that over a week's worth of data and it'll give you 7 rows where each row is a particular day, each column across the top is a particular dest_url and the numbers in the cells are the distinct count of 'user' for that day and that dest_url

View solution in original post