How to generate a graph to show daily unique users...

greekindian · ‎01-19-2015

I would like to generate a graph that shows the daily unique visitors login based on their e-mail address.

If i logged in yesterday and today, my login should show yesterday and today.
Currently I am running the following search and that shows my login only once.

Below is the search string I am using:

   "login *" sourcetype="*prod_logs"  | rex field=_raw "login (?<email>.*)"  | | dedup email | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart count by month_day [Date Range: Month to date]

Any suggestion on how to graph the unique logins for each day and not unique for "Month to date"?

FrankVl · ‎06-01-2018

See the answers below for working alternative solutions. Just wanted to point out why yours doesn’t work as intended:
You do a dedup by email, which retains only a single event per user, loosing information on the date. You should have included _time in your dedup command.

christoph_puppe · ‎06-01-2018

Even easier, when you use the _time of the event, then:

"login " sourcetype="*prod_logs" | rex field=_raw "login (?.)"

| timechart dc(email)

chanfoli · ‎01-19-2015

Try using distinct count like this:

 "login *" sourcetype="*prod_logs"  | rex field=_raw "login (?<email>.*)"  | eval month_day=strftime(_time,"%2y/%2m/%2d") | chart dc(email) by month_day

How to generate a graph to show daily unique users?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio