I would like to generate a graph that shows the daily unique visitors login based on their e-mail address.
If i logged in yesterday and today, my login should show yesterday and today.
Currently I am running the following search and that shows my login only once.
Below is the search string I am using:
"login *" sourcetype="*prod_logs" | rex field=_raw "login (?<email>.*)" | | dedup email | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart count by month_day [Date Range: Month to date]
Any suggestion on how to graph the unique logins for each day and not unique for "Month to date"?
See the answers below for working alternative solutions. Just wanted to point out why yours doesn’t work as intended:
You do a dedup by email, which retains only a single event per user, loosing information on the date. You should have included _time in your dedup command.
Even easier, when you use the _time of the event, then:
"login " sourcetype="*prod_logs" | rex field=_raw "login (?.)"
| timechart dc(email)
Try using distinct count like this:
"login *" sourcetype="*prod_logs" | rex field=_raw "login (?<email>.*)" | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart dc(email) by month_day