I'm trying to create cohort "like" table view. Cohort "like" because I have two searches that I want to execute:
1. get me all new users in specific time frame (with one variant in summing them up)
2. get me from those users how many time they did appear again in next months (with another variant of summing them up)
I did manage to get all data with one subsearch, but I can't plot it on table or any graph. Simple join would not work since it will overwrite eval data and I need eval data in the subsearch to actually get a number that I want to show. What I need is to show data as:
jan feb mar aprl jan 10 8 4 2 feb 10 6 4 mar 10 5
Or the other way around. Since I have all data in my events, I don't know how to display data in this fashion for multiple months, but I can do it for one month only.
I also have date in accelerated data model but i could not think any thing with that also. Since Splunk have a lot's of statistical command, is there any simple solution for cohort or i need to do lot's of subsearches?
Will not work. I need users in one month (with specific evals and calculations) then go trough months with those users with other calculations.
That is not what i need. As you can see in example:
Jan - number of started user minus number of unsubscribed to get total number
Feb - of those who started in Jan get number who continued and minus number who unsubscribed... and like that to other march, april...
Feb - also start from beginning - number of registered in Feb minus number of unsubscribed......
Contingency builds a contingency table for two fields - i need on both axis time and to show sum of some counter in the middle.
In short i was hoping for command that will take one defined group of data and show me movements of that group over time - but for every month as start point in my time range.