- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count of users
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have some events in which two fields appname and UserID are listed. Which shows in each event that which user was trying to hit that application. UserID is a numeric field.
Now my requirement is to get a dashboard which shows in last one hour how many users were accessing the apps . Basically count of users by application. i did like this :
| stats dc(UserId) by appName
I dont get any stat values in the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I notice that your description mentions a field called appname, and your search query uses appName. Is that just a typo in your post? Splunk is case-sensitive in handling field names, so that discrepancy could be the cause.
If not, can you share any errors you're getting? Or post a sample of the data returned by your search at the stage immediately before the stats call you posted? And last question - in your dashboard, what type of panel are you trying to use to display the data: an events table, a stats table, a single?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I notice that your description mentions a field called appname, and your search query uses appName. Is that just a typo in your post? Splunk is case-sensitive in handling field names, so that discrepancy could be the cause.
If not, can you share any errors you're getting? Or post a sample of the data returned by your search at the stage immediately before the stats call you posted? And last question - in your dashboard, what type of panel are you trying to use to display the data: an events table, a stats table, a single?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure how to convert your comment to answer. I want to accept it as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted it to an answer. But as I was doing so, I realized that I didn't really solve your issue, so feel free to post your own answer with an explanation of what you were doing, how you troubleshot it, and what the solution was - and then accept that. If you're up for that, it might help someone in the future. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simple fix was to access the field name through nested parsing, i was using appName instead of hdr.appName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, i messed up with the JSON parsing. These are nested fields and i was trying to access them directly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it perhaps as minor as capitalization? In your text you said it was UserID, but in your search you used UserId.
Try:
| stats dc(UserID) by appName
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
