Solved: How to edit my search to chart the count of unique...

antifreke · ‎03-25-2015

index="badge" |  bucket _time span=30d | timechart count by _time, address | sort - count | head

What I want to do is get a chart that shows each address and the number of unique users per that address:

             January  February  March
address 1       15       18       17
address 2       51       54       71

Essentially, this will let us see how many unique users are coming into work, and whether or not people are actually present to do their jobs. Any thoughts on this?

Tanefo · ‎03-25-2015

hi try this
index="badge" | bucket _time span=30d | timechart dc(users) by _time, address | sort - count | head 10

View solution in original post

stephanefotso · ‎03-26-2015

here is one example you can use with your _internal index, sourcetype as your address. test it and let me know

index=_internal sourcetype=*| eval month=strftime(_time, "%m")|chart  count by month,sourcetype|replace 01 with January in month|replace 02 with February in month|replace 03 with Martch in month|replace 04 with April in month

SGF

NOUMSSI · ‎03-25-2015

Hi,
Do you have a field named users?

antifreke · ‎03-25-2015

I have a field named nick, yes

Tanefo · ‎03-25-2015

hi try this
index="badge" | bucket _time span=30d | timechart dc(users) by _time, address | sort - count | head 10

antifreke · ‎03-25-2015

Alright, what I have now is the following:
index="acs_na" | timechart span=7d dc(nick) by address
This gives me the following:

                     address 1          address 2            address 3    address 4   null   other  address 5,6,7,8

week 1

week 2
week 3

I want to flip these, and do dates across the table, and have a list of the locations since we have 45 sites.

ppablo · ‎03-25-2015

Hi @antifreke

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You've been typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks!

Tanefo · ‎03-25-2015

use table move replace timechart by stats add tables address and count
like this

    index="badge" | bucket _time span=30d | stats dc(user) by address| table user count | sort - count | head 100

antifreke · ‎03-25-2015

index="badge" | bucket _time span=30d | timechart dc(nick) by address | sort - count | head 1000

It didn't work, so I tried the one above. Right now it's giving me the following:

          site 1     site 2     site 3

date 1 535
date 2 677
date 3 424

Tanefo · ‎03-25-2015

please antifreke, explain me again your preocupation.

antifreke · ‎03-25-2015

I'm wanting to pull up unique users per address over a period of time to see how many people are actually coming to work.

So far I have index=badge, fields for nick, and address, table address date_month count

How to edit my search to chart the count of unique users each month per address?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life