Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

distinct count users timechart

aaronkorn
Splunk Employee
Splunk Employee
‎05-20-2013 11:11 AM

Hello,

We are trying to track distinct current users logged in and running transactions in a particular application but cannot seem to get the correct search. Our search right now is just index=cerner | timechart span=5m dc(UserName) by host | addtotals but one of the major flaws is that within that 5min aggregation window where splunk is tallying up the users the graph shows drastic spikes which will confuse our operations center and think that there is something wrong with the application. What would be the best modification to our search syntax to ensure an accurate count of users currently logged in. If the search has to be 5 min in the past I am fine with that.

Thanks!

alt text

Thanks for your feedback.

I made the changes and even had it offset to 5min before but it is still showing the drastic drops although the 5 min bucket window has passed. I ran the search at 8:27 an the data point at 8:20 should be accurate. Any other ideas?

Thanksalt text

Reply

antlefebvre
Communicator
‎01-20-2014 06:40 PM

I couldn't figure out how to PM you from here. How are you accounting for number of users logged into Cerner? Are you getting the EMR logs from the backend, logging citrix application opens, full app launches from the desktop, or some other way I am not thinking of. I too am part of a Cerner shop and didn't realize someone else out there was tracking this as well.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-20-2013 12:52 PM

Could be you need to play with the partial parameter. If you run a search at say 10:06, with span=5m your last timeslot will only have data for 1 minute (but be graphed like it had 5 minutes worth of data).

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Timechart

/k

Reply

aaronkorn
Splunk Employee
Splunk Employee
‎05-21-2013 05:30 AM

thanks for your feedback. I just updated the original question trying the partial parameter.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...