Splunk Search

Compare count of unique values over two different time periods

kennyja
Explorer

Please forgive my ignorance, I am newbie to Splunk. I am trying to depict a unique count of users over two different time periods and show a ratio between the two. I would like to the following: A=Active users that have logged on within the last 90 days by department, B= Active users that have logged on with the last 30 days by department C: ratio between A and B by department. I have figured how to get A and B as separate queries, but how do I combine them into a single table?

Tags (1)
0 Karma

jplumsdaine22
Influencer

Lots of ways to do this. One method is just using eval (you may need to adjust this based on your field names eg department)

<yoursearch> earliest =-90d@d | eval UniqueUsersNinetyDays =if(_time<relative_time(now(),"-30d"),user,NULL) |eval UniqueUsersThirtyDays=if(_time>relative_time(now(),"-30d"),user,NULL)|   stats dc(UniqueUsersNinetyDays) as UniqueUsersNinetyDays dc(UniqueUsersThirtyDays) as UniqueUsersThirtyDays by department| eval Ratio=UniqueUsersNinetyDays/UniqueUsersThirtyDays

You could also run a couple of subsearches, or use eventstats. As a newbie, I highly recommend you get familiar with stats, chart and eval. The documentation for these commands is great.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

Also search for those commands on splunk answers - there are lots of real world examples

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!