Dashboards & Visualizations

How to generate a graph to show daily unique users?

greekindian
New Member

I would like to generate a graph that shows the daily unique visitors login based on their e-mail address.

If i logged in yesterday and today, my login should show yesterday and today.
Currently I am running the following search and that shows my login only once.

Below is the search string I am using:

   "login *" sourcetype="*prod_logs"  | rex field=_raw "login (?<email>.*)"  | | dedup email | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart count by month_day [Date Range: Month to date]

Any suggestion on how to graph the unique logins for each day and not unique for "Month to date"?

Tags (2)
0 Karma

FrankVl
Ultra Champion

See the answers below for working alternative solutions. Just wanted to point out why yours doesn’t work as intended:
You do a dedup by email, which retains only a single event per user, loosing information on the date. You should have included _time in your dedup command.

christoph_puppe
Engager

Even easier, when you use the _time of the event, then:

"login " sourcetype="*prod_logs" | rex field=_raw "login (?.)"

| timechart dc(email)

0 Karma

chanfoli
Builder

Try using distinct count like this:

 "login *" sourcetype="*prod_logs"  | rex field=_raw "login (?<email>.*)"  | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart dc(email) by month_day
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...