topic Re: How to find the perple who leave in the next day in Splunk Search

How to find the perple who leave in the next day

Minghao — Sun, 07 Feb 2021 13:13:52 GMT

We have a game and login log. I want to anyalize the people that login today and don't login tommorow, which is to analyze what effect the 1-day retention. BUT, I can't find these leaved people. I think maybe I can use NOT command or JOIN INNER command, however I failed.

Re: How to find the perple who leave in the next day

inventsekar — Sun, 07 Feb 2021 13:56:49 GMT

Hi @Minghao .. pls share with us the login log(without actual username/server names, etc)..

> I want to anyalize the people that login today and don't login tommorow

this should be simple. the login log should have the timestamp.. so, you can search for the users whose last login was more than 24 hrs (which means, those users didnt login last 24hrs).

if you provide us the sample login log (without actual username/server names, etc), we can help you with the SPL query. thanks.

Re: How to find the perple who leave in the next day

Minghao — Mon, 08 Feb 2021 02:43:04 GMT

The login log is like below:

2021-02-07 21:39:40 id=1001,flt=2021-01-11 00:05:18, ip=xxx.xx.xxx.xx,device=xxx

Re: How to find the perple who leave in the next day

Minghao — Mon, 08 Feb 2021 02:44:21 GMT

Thank you very much, I have post it and in where flt means the first login time which I think is very useful

Re: How to find the perple who leave in the next day

inventsekar — Mon, 08 Feb 2021 09:46:01 GMT

2021-02-07 21:39:40 id=1001,flt=2021-01-11 00:05:18, ip=xxx.xx.xxx.xx,device=xxx

assuming that "flt" is already extracted:

base search | eval epochLoginTime=strptime(flt, "%Y-%m-%d hh:mm:ss") | eval epochOneDay=relative_time(now(), "-1d@d" ) | where epochLoginTime > epochOneDay