Solved: search for Count of users per minute for a hour

ma_anand1984 · ‎05-30-2012

user activities are captured in _audit index. Using this i would like to see how many users are active on a given minute for an hour. I tried this

index=_audit | dedup user | timechart span = "1m" count(user)

but dedup worked on the whole time frame instead of every minute. Any help would be appreciated.

ma_anand1984 · ‎06-13-2012

This is the answer for the requirement i had
index=_audit | timechart span="1m" dc(user)| rename dc(user) as "Concurrent User"

ma_anand1984 · ‎06-13-2012

This is the answer for the requirement i had
index=_audit | timechart span="1m" dc(user)| rename dc(user) as "Concurrent User"

sdaniels · ‎06-07-2012

Did this work for you?

sdaniels · ‎05-30-2012

What if you do the following:

... | bucket span=1m _time | dedup user, _time | timechart ...

ma_anand1984 · ‎05-30-2012

I want some thing like this

time user count
1m 5
2m 3
3m 20

etc

search for Count of users per minute for a hour