Hi together,
Hope you can help me.
I have the following - every day I'll receive user data, and I want to count all users with a specific Status. Then I want to count the status over the last 30 days to see if some users do have the status for at least 30 days long:
Time=Last 30 days
sourcetype=XYZ | search userstatus="Transition" | stats count by user
Now I can put this in a table:
|table user, count
Example:
user1 | 30
user2 | 30
user3 | 30
user4 | 29
user5 | 1
But what I want to have is a single value. For this example, the result should be: 3 --> because 3 users do have the status for at least 30 days long.
Can someone help me - I think this is really easy, but I do have knot in my head now 😄
thanks, br, Lisi
You can filter is using the where
clause. Like this
sourcetype=XYZ userstatus="Transition" | stats count by user | where count>=30
thanks so much! was really easy 😄