Refine your search:

How can I get a running total of distinct users over time?

2

I'm trying to track adoption of a new system using Splunk. I have a chart which shows distinct users per day. I'd like to also add a chart that shows cumulative distinct users.

e.g.:
Day    Users       Cumulative Total
1      A, B, C, D  4
2      A, B        4
3      C, D, E, F  6
4      G           7

I've tried streamstats but can't figure out if there is an option to do this.

asked 13 Aug '10, 13:24

patrickw's gravatar image

patrickw
39213
accept rate: 0%

edited 05 May '11, 14:22

jlaw's gravatar image

jlaw ♦
77148
3 Answers:
oldestnewestmost voted
5

Here's an example of a search that does roughly what you want:

eventtype="download" | bin _time span=1d as day | stats values(clientip) as ips dc(clientip) by day | streamstats dc(ips) as "Cumulative total"

The bin command breaks the time into days, the stats calculates the distinct users and user count per day and the streamstats finds the running distinct count of users.

link

answered 14 Aug '10, 00:06

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
9.0k510
accept rate: 52%

Thanks - that worked!

(16 Aug '10, 13:18) patrickw
0

You could use | uniq | stats count in a time constrainted search

link

answered 13 Aug '10, 15:26

Pete%20Bassill's gravatar image

Pete Bassill
1866
accept rate: 22%

1

Thanks Pete - can you be more specific about the 'time constrained search' part of the answer? I see how | uniq | gets me part way there, but how do I actually get the running total out of that?

(13 Aug '10, 17:23) patrickw
0

When I've ran this and then "Show Report"...the day is a bunch of numbers like 1312330200 which I don't recognize...how do I add to this to convert the day to something readable on the report?

eventtype="download" | bin _time span=1d as day | stats values(clientip) as ips dc(clientip) by day | streamstats dc(ips) as "Cumulative total"

Thanks,

Bob I.

link

answered 11 Aug '11, 13:42

numb_lock's gravatar image

numb_lock
1
accept rate: 0%

edited 11 Aug '11, 13:52

Try eventtype="download" | bin _time span=1d as day | stats values(clientip) as ips dc(clientip) by day | streamstats dc(ips) as "Cumulative total" | eval ddd=strftime(day,"%b %d %Y") | table ddd "Cumulative total".

(01 Feb '12, 14:38) rmorlen
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×279

Asked: 13 Aug '10, 13:24

Seen: 2,674 times

Last updated: 01 Feb '12, 14:38

Related questions

Reverse running total/ sum needed

How to get a daily count of distinct users over a large time range without re-running from beginning of time

Running Total

Charting percentage of a total over time?

using streamstats and stats together

stats generate distinct counts by a field, and also overall

Calculate stats over a percentage of the data

Somehow combine stats data over timechart?

Netscreen logs - Useraccounts and IP-addresses

Copyright © 2005-2012 Splunk Inc. All rights reserved.