trying to timechart stats

glennstolz · ‎05-18-2020

I am trying splunk unique visitors from my Akamai Logs.

Akamai determine a unique visitor by combining client ip and xforwarded for.

Here is my simple search

index="akamai-webcdn-afl-app-s"
| stats count by event.message.cliIP, event.reqHdr.xFrwdFor

which results in

event.message.cliIP event.reqHdr.xFrwdFor   count
103.246.36.21         192.168.6.122           3
108.171.134.189     1.43.141.112               1
108.171.134.189     139.163.132.183         2
114.119.160.107     10.179.80.58               1
114.119.160.177     10.179.80.112             1

Each line represents a unique visitor

How can I get a count of unique visitors each minute as the below does not work and just give 0 results

index="akamai-webcdn-afl-app-s"
| stats count by event.message.cliIP, event.reqHdr.xFrwdFor
| timechart span=1m count(event.message.cliIP)

Thank you for your help 🙂

richgalloway · ‎05-18-2020

The stats command filters out all fields except those explicitly named in the command. In your example, that's "count", "event.message.cliIP", and "event.reqHdr.xFrwdFor".
The timechart command requires the _time field, which was stripped out by stats, so it doesn't work.
The solution is to tell stats to include _time.

index="akamai-webcdn-afl-app-s"
| bucket span=1m _time
| stats count by _time, event.message.cliIP, event.reqHdr.xFrwdFor
| timechart span=1m count

---
If this reply helps you, Karma would be appreciated.

trying to timechart stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!