Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need a Help with Query for Report

satyaallaparthi
Communicator
‎10-14-2019 11:49 AM

Hello,

I have user data which is ingesting every week on Saturday in to Splunk.

I have 3000 Events on 5th Oct and 3150 Events on 12th Oct. i.e, 150 new users created in last one week.

And I have the fields called login_name and User_type.

I want to create a report showing new login_name by comparing 2 weeks of data. which is not in Splunk on 5th Oct and which is on 12th Oct.

Please do help me with the query.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 12:06 PM

There probably are a few ways to do this. One is with subsearch.

index=foo earliest=-1w@w6 NOT [index=foo earliest=-2w@w6 latest=-1w@w5 | fields login_name | format]

or use set diff

set diff [index=foo earliest=-2w@w6 latest=-1w@w5] [index=foo earliest=-1w@w6]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎10-14-2019 12:26 PM

Hello,
Unfortunately, I am getting all 3150 login names When I am trying with Below Query.

index=lookups sourcetype=users_roles earliest=-7d@d latest=now
NOT
[search index=lookups sourcetype=users_roles earliest=-14d@d latest=-7d@d]
| stats count by login_name

3,143 events (10/7/19 12:00:00.000 AM to 10/14/19 3:21:06.000 PM)

Please do help if there is something else to sort out this issue..

Thanks,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 01:11 PM

Have you tried the other query?

I've modified my answer. See if that makes a difference.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...