We currently have our web filtering logs forwarded to Splunk. I have been asked to provide a report that doesn't just show the top users browsing the web, but to show a list of users that browse the web excessively. I have been fumbling around the percentile functions of stats but am having some trouble. An event is generated for every request that is made. Within the event is a field for "USER." I would like to determine the average number of events per user per day and report the top users that have breached a threshold based on this number. Maybe a user count that exceeds the 95th percentile or a user count that is 4X the average.
I thank you in advance for any help you can provide.