Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I create a barchart comparing active unique users vs. total users by month?

svemurilv
Path Finder
‎09-25-2017 09:45 AM

How do I create a comparison bar chart of active unique user vs total user by month on Splunk search head?
Both are coming from separate data sources.

0 Karma
Reply

DalJeanis
Legend
‎09-25-2017 10:08 AM

You need to write something like this...

 your search that gets the active users with _time and user 
   | bin _time as Day span=1d
   | stats count as visits by user Day
   | bin Day as Month span=1mon 
   | stats dc(user) as userCount sum(visits) as visitCount  count(visits) as userDayCount by Month

Now you have one record for each month, with the total unique visitors that month (userCount) and the total number of user-days (userDayCount) and the total number of visits (visitCount). If a particular user visited 50 times across 7 days in a particular month, then he will be counted 1, 7, and 50 times, respectively.

0 Karma
Reply

svemurilv
Path Finder
‎09-25-2017 01:46 PM

okay thanks for the reply but am asking to create the Active users Vs Total users on splunk.

index=_audit action="login attempt" "info=succeeded" | dedup user |rename user as "ActiveUsers"
|stats count(ActiveUsers) AS Active
|join ActiveUsers [ |rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as ALLuserName |stats count(ALLuserName) AS Total ]

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...