Please forgive my ignorance, I am newbie to Splunk. I am trying to depict a unique count of users over two different time periods and show a ratio between the two. I would like to the following: A=Active users that have logged on within the last 90 days by department, B= Active users that have logged on with the last 30 days by department C: ratio between A and B by department. I have figured how to get A and B as separate queries, but how do I combine them into a single table?
Lots of ways to do this. One method is just using eval (you may need to adjust this based on your field names eg department)
<yoursearch> earliest =-90d@d | eval UniqueUsersNinetyDays =if(_time<relative_time(now(),"-30d"),user,NULL) |eval UniqueUsersThirtyDays=if(_time>relative_time(now(),"-30d"),user,NULL)| stats dc(UniqueUsersNinetyDays) as UniqueUsersNinetyDays dc(UniqueUsersThirtyDays) as UniqueUsersThirtyDays by department| eval Ratio=UniqueUsersNinetyDays/UniqueUsersThirtyDays
You could also run a couple of subsearches, or use eventstats. As a newbie, I highly recommend you get familiar with stats, chart and eval. The documentation for these commands is great.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
Also search for those commands on splunk answers - there are lots of real world examples