Splunk Search
Highlighted

How do I write a search to create a cohort-like table view?

Explorer

Hi,

I'm trying to create cohort "like" table view. Cohort "like" because I have two searches that I want to execute:
1. get me all new users in specific time frame (with one variant in summing them up)
2. get me from those users how many time they did appear again in next months (with another variant of summing them up)

I did manage to get all data with one subsearch, but I can't plot it on table or any graph. Simple join would not work since it will overwrite eval data and I need eval data in the subsearch to actually get a number that I want to show. What I need is to show data as:

      jan  feb  mar  aprl
jan    10   8    4    2
feb        10    6    4
mar             10    5

Or the other way around. Since I have all data in my events, I don't know how to display data in this fashion for multiple months, but I can do it for one month only.

I also have date in accelerated data model but i could not think any thing with that also. Since Splunk have a lot's of statistical command, is there any simple solution for cohort or i need to do lot's of subsearches?

Tags (3)
0 Karma
Highlighted

Re: How do I write a search to create a cohort-like table view?

Esteemed Legend

If you can do it for one month then you should be able to overlap adjacent months using the Timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Highlighted

Re: How do I write a search to create a cohort-like table view?

Explorer

Will not work. I need users in one month (with specific evals and calculations) then go trough months with those users with other calculations.

0 Karma
Highlighted

Re: How do I write a search to create a cohort-like table view?

Esteemed Legend
0 Karma
Highlighted

Re: How do I write a search to create a cohort-like table view?

Explorer

That is not what i need. As you can see in example:
Jan - number of started user minus number of unsubscribed to get total number
Feb - of those who started in Jan get number who continued and minus number who unsubscribed... and like that to other march, april...
Feb - also start from beginning - number of registered in Feb minus number of unsubscribed......

Contingency builds a contingency table for two fields - i need on both axis time and to show sum of some counter in the middle.

In short i was hoping for command that will take one defined group of data and show me movements of that group over time - but for every month as start point in my time range.

Something like: http://www.r-bloggers.com/cohort-analysis-with-r-retention-charts/

0 Karma