- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search data for a unique user count by date...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am completely new to Splunk and I have a specific need to address so please be patient with my newbie incompetence!
I have a list of servers that for each hour records the users who were active on that server, I need to be able to get a unique count of the users across all of the servers during each 1 hour period. Where do I start?
WAS,PROD 1,2018-06-01 02:00:00+00:00,6,user1 user2 user3 user4 user5 user6
WAS,PROD 2,2018-06-01 02:00:00+00:00,5,user1 user2 user5 user7 user8
WAS,PROD 3,2018-06-01 02:00:00+00:00,5,user2 user3 user4 user5 user7
So the servers are PROD 1, 2 & 3, the date timestamp and then the users. The answer I want in this case is 8, the actual data covers an entire month and several thousand unique users.
Where do I start with this?
Thanks
Neal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have the data ingested and _time is properly set already. Try the following:
...your search to get to this data...
| rex ",(?<users>[^,]+)$"
| makemv delim=" " users
| stats values(users) as users by _time
| eval usercount = mvcount(users)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have the data ingested and _time is properly set already. Try the following:
...your search to get to this data...
| rex ",(?<users>[^,]+)$"
| makemv delim=" " users
| stats values(users) as users by _time
| eval usercount = mvcount(users)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@FrankVI - thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PS: if you imported it as CSV and already have it split into fields, where one field contains that users string, you could use that field and skip the rex part of course 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @NeaIM,
did you already create the sourcetype and index the data sample you provided?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did, I imported it from a CSV file and ran it through.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
