Splunk Search

Compare count of unique values over two different time periods


Please forgive my ignorance, I am newbie to Splunk. I am trying to depict a unique count of users over two different time periods and show a ratio between the two. I would like to the following: A=Active users that have logged on within the last 90 days by department, B= Active users that have logged on with the last 30 days by department C: ratio between A and B by department. I have figured how to get A and B as separate queries, but how do I combine them into a single table?

Tags (1)
0 Karma


Lots of ways to do this. One method is just using eval (you may need to adjust this based on your field names eg department)

<yoursearch> earliest =-90d@d | eval UniqueUsersNinetyDays =if(_time<relative_time(now(),"-30d"),user,NULL) |eval UniqueUsersThirtyDays=if(_time>relative_time(now(),"-30d"),user,NULL)|   stats dc(UniqueUsersNinetyDays) as UniqueUsersNinetyDays dc(UniqueUsersThirtyDays) as UniqueUsersThirtyDays by department| eval Ratio=UniqueUsersNinetyDays/UniqueUsersThirtyDays

You could also run a couple of subsearches, or use eventstats. As a newbie, I highly recommend you get familiar with stats, chart and eval. The documentation for these commands is great.


Also search for those commands on splunk answers - there are lots of real world examples

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!