Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

distinct count users timechart

aaronkorn
Splunk Employee
Splunk Employee
‎05-20-2013 11:11 AM

Hello,

We are trying to track distinct current users logged in and running transactions in a particular application but cannot seem to get the correct search. Our search right now is just index=cerner | timechart span=5m dc(UserName) by host | addtotals but one of the major flaws is that within that 5min aggregation window where splunk is tallying up the users the graph shows drastic spikes which will confuse our operations center and think that there is something wrong with the application. What would be the best modification to our search syntax to ensure an accurate count of users currently logged in. If the search has to be 5 min in the past I am fine with that.

Thanks!

alt text

Thanks for your feedback.

I made the changes and even had it offset to 5min before but it is still showing the drastic drops although the 5 min bucket window has passed. I ran the search at 8:27 an the data point at 8:20 should be accurate. Any other ideas?

Thanksalt text

Reply

antlefebvre
Communicator
‎01-20-2014 06:40 PM

I couldn't figure out how to PM you from here. How are you accounting for number of users logged into Cerner? Are you getting the EMR logs from the backend, logging citrix application opens, full app launches from the desktop, or some other way I am not thinking of. I too am part of a Cerner shop and didn't realize someone else out there was tracking this as well.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-20-2013 12:52 PM

Could be you need to play with the partial parameter. If you run a search at say 10:06, with span=5m your last timeslot will only have data for 1 minute (but be graphed like it had 5 minutes worth of data).

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Timechart

/k

Reply

aaronkorn
Splunk Employee
Splunk Employee
‎05-21-2013 05:30 AM

thanks for your feedback. I just updated the original question trying the partial parameter.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...