Reporting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need a Help with Query for Report

satyaallaparthi
Communicator
‎10-14-2019 11:49 AM

Hello,

I have user data which is ingesting every week on Saturday in to Splunk.

I have 3000 Events on 5th Oct and 3150 Events on 12th Oct. i.e, 150 new users created in last one week.

And I have the fields called login_name and User_type.

I want to create a report showing new login_name by comparing 2 weeks of data. which is not in Splunk on 5th Oct and which is on 12th Oct.

Please do help me with the query.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎10-14-2019 12:26 PM

Hello,
Unfortunately, I am getting all 3150 login names When I am trying with Below Query.

index=lookups sourcetype=users_roles earliest=-7d@d latest=now
NOT
[search index=lookups sourcetype=users_roles earliest=-14d@d latest=-7d@d]
| stats count by login_name

3,143 events (10/7/19 12:00:00.000 AM to 10/14/19 3:21:06.000 PM)

Please do help if there is something else to sort out this issue..

Thanks,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 01:11 PM

Have you tried the other query?

I've modified my answer. See if that makes a difference.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top