Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart of unique user logins per day

jeck11
Path Finder
‎01-23-2020 08:55 AM

I feel like an idiot because this should be simple. I'm trying to get a basic graph showing unique user logins per day for our Splunk Cloud environment. This search came from the "Utilization Monitor for Splunk" app and I thought it would be as easy as adding "by day" to the stats segment but that didn't work.

index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*) | stats dc(user) as "Splunkers"

If I were the only user to log in and I only work mon-fri then I would expect the chart to be something like 0,1,1,1,1,1,0.
alt text

Can someone please point out what I'm missing before I lose the little hair I have left?

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-23-2020 11:16 AM 
index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*)
| eval date_wday=strftime(_time,"%F")
| chart dc(user) as "Splunkers" by  date_wday,user
| eval date_wday=strftime(strptime(date_wday,"%F"),"%A")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-23-2020 11:16 AM 
index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*)
| eval date_wday=strftime(_time,"%F")
| chart dc(user) as "Splunkers" by  date_wday,user
| eval date_wday=strftime(strptime(date_wday,"%F"),"%A")
0 Karma
Reply
Solved! Jump to solution

jeck11
Path Finder
‎01-29-2020 08:54 AM

index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*)
| eval date_wday=strftime(_time,"%F")
| chart dc(user) as "Splunkers" by date_wday

Thank you! The strftime is the key for getting the data I needed.

0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎01-23-2020 09:01 AM

Hi,

Try this

index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*) | chart dc(user) as "Splunkers" by user , date_wday

Thanks
Anantha

0 Karma
Reply
Solved! Jump to solution

jeck11
Path Finder
‎01-23-2020 10:30 AM

That broke it down more granularly than I was looking for. I updated the question with an example chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...