Solved: search for unique userid in one hour window

dominiquevocat · ‎04-12-2012

I am trying to report the number of unique logged in users (field=USERNAME) in a timespan=1h and since i only want unique users i probably should use dedup but when i run this search for a day or week there is a chance that the same user logged in on several days in that timespan so the dedup should affect only the events within the timespan.

say
index="xxx" | timechart span=1h sum(USERNAME) | dedup USERNAME
is not right. Deduping after that is no use.

Also i would like to have the top number of concurent (see where this goes?) Users in a 1h timespan for a report.

How would i best go about it in a search? How can i report this concurent users max per 1h timespan?

Ayn · ‎04-12-2012

I don't really understand all of your question, but I'll try to respond according to what I think you're asking.

For a given 1 hour interval, you want to see the distinct count of users that generated events during that timespan. For this, use stats distinct_count (or dc which is the short version).

index="xxx" | timechart span=1h dc(USERNAME)

View solution in original post

Ayn · ‎04-12-2012

I don't really understand all of your question, but I'll try to respond according to what I think you're asking.

For a given 1 hour interval, you want to see the distinct count of users that generated events during that timespan. For this, use stats distinct_count (or dc which is the short version).

index="xxx" | timechart span=1h dc(USERNAME)

dominiquevocat · ‎04-12-2012

DistinctCount sounds nice. I think that does most of what i need.

search for unique userid in one hour window

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!