Solved: How to search the total number of users per day?

sim_tcr · ‎05-05-2016

Hello,

I have a field where the user names are recorded. I want to display a timechart with total number of users for a day.

user
------
user1
user2
user5
user6
...
...

Please help me construct the search

index="_internal" sourcetype=splunk_web_access source="/apps/splunk/var/log/splunk/web_access.log"

Thanks,
Simon Mandy

javiergn · ‎05-05-2016

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user

javiergn · ‎05-05-2016

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user

How to search the total number of users per day?