topic Re: Need a Help with Query for Report in Reporting

Need a Help with Query for Report

satyaallaparthi — Wed, 30 Sep 2020 02:36:54 GMT

Hello,

I have user data which is ingesting every week on Saturday in to Splunk.

I have 3000 Events on 5th Oct and 3150 Events on 12th Oct. i.e, 150 new users created in last one week.

And I have the fields called login_name and User_type.

I want to create a report showing new login_name by comparing 2 weeks of data. which is not in Splunk on 5th Oct and which is on 12th Oct.

Please do help me with the query.

Thanks in Advance.

Re: Need a Help with Query for Report

richgalloway — Mon, 14 Oct 2019 19:06:59 GMT

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]

Re: Need a Help with Query for Report

satyaallaparthi — Wed, 30 Sep 2020 02:36:56 GMT

Hello,
Unfortunately, I am getting all 3150 login names When I am trying with Below Query.

index=lookups sourcetype=users_roles earliest=-7d@d latest=now
NOT
[search index=lookups sourcetype=users_roles earliest=-14d@d latest=-7d@d]
| stats count by login_name

3,143 events (10/7/19 12:00:00.000 AM to 10/14/19 3:21:06.000 PM)

Please do help if there is something else to sort out this issue..

Thanks,

Re: Need a Help with Query for Report

richgalloway — Mon, 14 Oct 2019 20:11:04 GMT

Have you tried the other query?

I've modified my answer. See if that makes a difference.