Splunk Search

How to search the count of all users that have had a specific status for at least X days?

egreibl
Engager

Hi together,

Hope you can help me.

I have the following - every day I'll receive user data, and I want to count all users with a specific Status. Then I want to count the status over the last 30 days to see if some users do have the status for at least 30 days long:

Time=Last 30 days

sourcetype=XYZ | search userstatus="Transition" | stats count by user

Now I can put this in a table:

|table user, count

Example:

user1 | 30
user2 | 30
user3 | 30
user4 | 29
user5 | 1

But what I want to have is a single value. For this example, the result should be: 3 --> because 3 users do have the status for at least 30 days long.

Can someone help me - I think this is really easy, but I do have knot in my head now 😄

thanks, br, Lisi

0 Karma

sundareshr
Legend

You can filter is using the where clause. Like this

sourcetype=XYZ userstatus="Transition" | stats count by user | where count>=30 
0 Karma

egreibl
Engager

thanks so much! was really easy 😄

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...