Compare count of unique values over two different ...

kennyja · ‎12-23-2015

Please forgive my ignorance, I am newbie to Splunk. I am trying to depict a unique count of users over two different time periods and show a ratio between the two. I would like to the following: A=Active users that have logged on within the last 90 days by department, B= Active users that have logged on with the last 30 days by department C: ratio between A and B by department. I have figured how to get A and B as separate queries, but how do I combine them into a single table?

jplumsdaine22 · ‎12-23-2015

Lots of ways to do this. One method is just using eval (you may need to adjust this based on your field names eg department)

<yoursearch> earliest =-90d@d | eval UniqueUsersNinetyDays =if(_time<relative_time(now(),"-30d"),user,NULL) |eval UniqueUsersThirtyDays=if(_time>relative_time(now(),"-30d"),user,NULL)|   stats dc(UniqueUsersNinetyDays) as UniqueUsersNinetyDays dc(UniqueUsersThirtyDays) as UniqueUsersThirtyDays by department| eval Ratio=UniqueUsersNinetyDays/UniqueUsersThirtyDays

You could also run a couple of subsearches, or use eventstats. As a newbie, I highly recommend you get familiar with stats, chart and eval. The documentation for these commands is great.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

Also search for those commands on splunk answers - there are lots of real world examples

Compare count of unique values over two different time periods

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!