- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a report that displays stats count i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I am new to Splunk and wondering if can have the report that gives results in a table as below,
data as :
index=api serviceName=find userId=7878
index= api serviceName=find userId=7877
index= api serviceName=find userId=7878
index= api serviceName=person userId=7878
Result should be like :
a) table A : serviceName, count of (unique userId's)
b) Also if its possible to have the result of table A for 1 day, 7 day, 30 days
Please provide the queries also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Vicky84 - Did either of the below answers help you out? If yes, please click "Accept" below the best answer to resolve your post. If no and you still need help, please leave a comment with some feedback. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks sundareshr.
This gives me a quite a good result I was expecting but can you also tell if there is a way to get only the top users stats in the similar report (don't want all the users result pulled). Like if X is the top api user of today, I want to compare his stats for last to 2 days, to see if there is any spike in the same query/report.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have fields called serviceName and userId and index is called api, try:
index=api | stats dc(userId) as "Distinct User Count" by serviceName
For B) try
index=api earliest=-7d@d| timechart span=1d dc(userId) by serviceName useother=f
Change the value of "7" in above to yourNumber to get the results as far back as you like. -30d@d and so on. Use the visualizations or just use the statistics table. Visualization will give options of charting with line chart/bar graph to display the query B)
Added useother=f, so that there are no "other" grouping and results show up for each serviceName
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
