Splunk Search

How to create a report that displays stats count in a table for x days?

Vicky84
Explorer

Sorry I am new to Splunk and wondering if can have the report that gives results in a table as below,

data as :

index=api serviceName=find userId=7878
index= api serviceName=find userId=7877
index= api serviceName=find userId=7878
index= api serviceName=person userId=7878

Result should be like :
a) table A : serviceName, count of (unique userId's)
b) Also if its possible to have the result of table A for 1 day, 7 day, 30 days

Please provide the queries also.

0 Karma
1 Solution

sundareshr
Legend

Try this

index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@Vicky84 - Did either of the below answers help you out? If yes, please click "Accept" below the best answer to resolve your post. If no and you still need help, please leave a comment with some feedback. Thanks!

0 Karma

sundareshr
Legend

Try this

index=api earliest=-30d@d | eval timeframe=case(_time>relative_time(now(), "@d"), "Today", _time<relative_time(now(), "@d") AND _time>relative_time(now(), "-7d@d"), "7 days", _time<relative_time(now(), "-7d@d") AND _time>relative_time(now(), "-30d@d"), "30 days" | chart dc(userId) as Users over serviceName by timeframe
0 Karma

Vicky84
Explorer

Thanks sundareshr.
This gives me a quite a good result I was expecting but can you also tell if there is a way to get only the top users stats in the similar report (don't want all the users result pulled). Like if X is the top api user of today, I want to compare his stats for last to 2 days, to see if there is any spike in the same query/report.

0 Karma

gokadroid
Motivator

Assuming you have fields called serviceName and userId and index is called api, try:

index=api | stats dc(userId) as "Distinct User Count" by serviceName

For B) try

index=api  earliest=-7d@d| timechart span=1d dc(userId) by serviceName useother=f

Change the value of "7" in above to yourNumber to get the results as far back as you like. -30d@d and so on. Use the visualizations or just use the statistics table. Visualization will give options of charting with line chart/bar graph to display the query B)

Added useother=f, so that there are no "other" grouping and results show up for each serviceName

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...