Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need a Help with Query for Report

satyaallaparthi
Communicator
‎10-14-2019 11:49 AM

Hello,

I have user data which is ingesting every week on Saturday in to Splunk.

I have 3000 Events on 5th Oct and 3150 Events on 12th Oct. i.e, 150 new users created in last one week.

And I have the fields called login_name and User_type.

I want to create a report showing new login_name by comparing 2 weeks of data. which is not in Splunk on 5th Oct and which is on 12th Oct.

Please do help me with the query.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎10-14-2019 12:26 PM

Hello,
Unfortunately, I am getting all 3150 login names When I am trying with Below Query.

index=lookups sourcetype=users_roles earliest=-7d@d latest=now
NOT
[search index=lookups sourcetype=users_roles earliest=-14d@d latest=-7d@d]
| stats count by login_name

3,143 events (10/7/19 12:00:00.000 AM to 10/14/19 3:21:06.000 PM)

Please do help if there is something else to sort out this issue..

Thanks,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 01:11 PM

Have you tried the other query?

I've modified my answer. See if that makes a difference.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
li.common.scroll-to.top