Solved: search that captures sum of users by url - Splunk Community

Splunk Search

I need to add something to the following string (or rewrite it) that captures users sum by url by date. Any help would be appreciated.

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST"| stats count by user, dest_url

Thank you!

1 Solution

Solution

sounds like

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST" | timechart span=1d dc(user) by dest_url

run that over a week's worth of data and it'll give you 7 rows where each row is a particular day, each column across the top is a particular dest_url and the numbers in the cells are the distinct count of 'user' for that day and that dest_url

View solution in original post

Solution

sounds like

host="192.xxx.xxx.xx" Prism http://host1.com:80//Citrix/MetaFrame action="POST" | timechart span=1d dc(user) by dest_url

run that over a week's worth of data and it'll give you 7 rows where each row is a particular day, each column across the top is a particular dest_url and the numbers in the cells are the distinct count of 'user' for that day and that dest_url

Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...