Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need a Help with Query for Report

satyaallaparthi
Communicator
‎10-14-2019 11:49 AM

Hello,

I have user data which is ingesting every week on Saturday in to Splunk.

I have 3000 Events on 5th Oct and 3150 Events on 12th Oct. i.e, 150 new users created in last one week.

And I have the fields called login_name and User_type.

I want to create a report showing new login_name by comparing 2 weeks of data. which is not in Splunk on 5th Oct and which is on 12th Oct.

Please do help me with the query.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎10-14-2019 12:26 PM

Hello,
Unfortunately, I am getting all 3150 login names When I am trying with Below Query.

index=lookups sourcetype=users_roles earliest=-7d@d latest=now
NOT
[search index=lookups sourcetype=users_roles earliest=-14d@d latest=-7d@d]
| stats count by login_name

3,143 events (10/7/19 12:00:00.000 AM to 10/14/19 3:21:06.000 PM)

Please do help if there is something else to sort out this issue..

Thanks,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 01:11 PM

Have you tried the other query?

I've modified my answer. See if that makes a difference.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...