I was asked to provide active users since December 2016. With the logs we're working with, there's really no way to get a number of "active users"; someone at my branch suggested the best way would be to get a number for distinct users, but there would be no way to distinguish between users who logged into the system once and those who log in regularly.
My proposed solution is to provide the distinct user count but to only count users that appear in 5 or more events (I was told I can assume 5 events is enough to consider them "active"). Is there a way to do this or would anyone have some advice? What I have so far is just the distinct users part, but I haven't been able to figure out what limits the distinct user count based on number of events per distinct user.
sourcetype=access* uri_path=* NOT eventtype=Web* |fillnull value="Missing Field"| stats dc(UID) as distinct_users
... View more