- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Number of distinct days an event occurs on, within...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to chart a count of how many distinct days users logged into our system within the past 7 days. When I try to count days, I keep getting 0. Assuming I have seen a total of 200 unique users, output would be something like 100 users seen 7 unique days, 90 users seen 6 unique days, and 10 users seen on 4 unique days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I have the wrong end of the stick, but it's quite easy to get individual day count for events like this:
[host or other filter] AND [event-string] | dedup 1 host date_mday | stats count by host
That's obviously by host but you can change to your username extracted field to do a similar sort of thing...
This seems to work for cisco on my system... how many distinct days users made config changes..
"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count by cisco_configuredby
Not sure I can help with the chart though. 🙂
EDIT:
"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count AS days by cisco_configuredby | stats count by days
days count
1 17
2 11
3 5
5 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I have the wrong end of the stick, but it's quite easy to get individual day count for events like this:
[host or other filter] AND [event-string] | dedup 1 host date_mday | stats count by host
That's obviously by host but you can change to your username extracted field to do a similar sort of thing...
This seems to work for cisco on my system... how many distinct days users made config changes..
"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count by cisco_configuredby
Not sure I can help with the chart though. 🙂
EDIT:
"%SYS-5-CONFIG_I: Configured" | dedup 1 cisco_configuredby,date_mday | stats count AS days by cisco_configuredby | stats count by days
days count
1 17
2 11
3 5
5 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I got it done with
....| stats dc(date_mday) AS UserDaysCount by UserID | chart count(UserDaysCount) by UserDaysCount
which works for less than one month. Not sure why I was getting zero answer at the start, must've had some typo.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
