Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to restrict a search to the last event per user

fabsi
New Member
‎12-05-2016 03:53 AM

I would like to know the number of users per application version over a period of time.

The events always include the application version and the user id but a user could have used different application versions over a period of time and I am interested on the latest, which happen to be the latest event for a given user, so how can I restrict a query to search only through the last events per user?, below it is my attempt which is not working..

search |stats values(email) as email, values(deviceSerial) as deviceSer, values(appVersion) as appVersion, latest(_time) AS latest_time by deviceSerial |fields email deviceSer appVersion latest_time| dedup email latest_time|  stats  dc(email) as users by appVersion | sort -users
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎12-05-2016 05:16 AM

Try this

search 
| stats max(_time) as latest_time by email appVersion
| stats dc(email) as users by appVersion 
| sort -users

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎12-05-2016 05:16 AM

Try this

search 
| stats max(_time) as latest_time by email appVersion
| stats dc(email) as users by appVersion 
| sort -users
Reply
Solved! Jump to solution

fabsi
New Member
‎12-05-2016 05:47 AM

I tried, but still users are counted twice if there are events done with multiple versions per user . So I managed to filter those cases using eventstats.. (there is usually a one to one relationship between deviceSerial and email fields)

search
| eventstats latest(_time) AS latest_time by deviceSerial
|dedup deviceSerial latest_time
| stats dc(email) as users by appVersion
| sort -users

0 Karma
Reply
Solved! Jump to solution

fabsi
New Member
‎12-05-2016 05:06 AM

Hi, I am answering myself.. I decided to use eventstats. If somebody has another idea, please tell, specially if you think that the performance can be better..

search string| eventstats latest(_time) AS latest_time by deviceSerial |dedup deviceSerial latest_time|  stats  dc(email) as users by appVersion | sort -users

Seems to work..

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2016 05:34 AM

I believe you don't need both eventstats and dedup. I usually just use dedup when I need the latest event containing a particular field or set of fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

fabsi
New Member
‎12-05-2016 06:11 AM

will that be dedup deviceSerial then? and by definition will take the latest event?. thank you richgalloway and rjthibod

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...