- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Stats/Chart count distinct users by Country and ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a query showing the amount of distinct logins by IP address based on the "term" i've created in the query.
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| chart dc(User) as usercount by IP_address,term
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats sum("Very Short") AS "Very Short", sum(Short) AS Short, sum(Long) AS Long by Country, City
After doing some cross-checking, I realized these results are counting multiple values for users if that makes sense. So if "xxx99" had three "Very Short" logins and "xxx90" had 2 "Very Short" logins, its counting it as 5 "Very Short", when in fact I need it to count as 2 (the amount of users that were categorized as Very Short at least once).
I've tried getting around this myself with this:
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| stats dc(User) AS usercount by Country City term
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| search Country=Azerbaijan
| chart sum(usercount) over Country by term
but with those results, I can't seem to get it to display the Country AND City, not just the City.
Any thoughts?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats dc(User) AS usercount by Country City term
| search Country=Azerbaijan | eval temp=Country."##".City
| chart sum(usercount) over temp by term | rex field=temp "(?<Country>.+)##(?<City>.+)" | table Country, City "Very Short", Short, Long
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats dc(User) AS usercount by Country City term
| search Country=Azerbaijan | eval temp=Country."##".City
| chart sum(usercount) over temp by term | rex field=temp "(?<Country>.+)##(?<City>.+)" | table Country, City "Very Short", Short, Long
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The temp= line is combining two fields Country and City ( your can use any name for that matter, I used temp as it's a temporary field). So this way we ran the chart with 3 field grouping (using temp). Once the data is charted, we're using rex command to separate out those combined fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay very interesting, i'm learning a lot still. Is there a way to display this with geostats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this seems to work. I changed the order of the first eval to eval term=case(term>(86400*7), "Long", term>86400 AND term<(86400*7), "Short", term<86400, "Very Short") so that if a user is identified as Long, they can't also be counted for short/very short.
I also added a dedup User after the stats dc(User) cmd line which looks to do what I've been looking for!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could I ask what exactly the eval temp= line is doing? I can't seem to find much info about that or the rex cmd how it works.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
