Solved: Re: How to determine that a field value is "new" o...

JohnR · ‎11-11-2021

I have a search that displays unique users per day (based on a "user id" field). I also would like another search that displays "new" unique users per day, looking back to some fixed date. I suspect maybe I need a sub-search using "earliest" and "latest", but I don't know how to put it together.

PickleRick · ‎11-12-2021

Try and see 🙂

But at first glance seems OK (if you correct the field names - in one step you're calling the field userid, in next one you're sorting by uid)

View solution in original post

PickleRick · ‎11-11-2021

You mean you want to find users which in a given day logged in but have never logged in before?

<your search>
| timechart span=1d values(userid) as users
| expandmv users
| stats earliest(_time) as _time by users

Something like that.

JohnR · ‎11-11-2021

Thanks. If I just wanted a count of new users per day, would this work...

| bin _time span=1d
| stats earliest(_time) as _time by userid
| stats dc(uid) by _time
| sort _time

PickleRick · ‎11-12-2021

Try and see 🙂

But at first glance seems OK (if you correct the field names - in one step you're calling the field userid, in next one you're sorting by uid)

somesoni2 · ‎11-11-2021

Try something like this

index=foo sourcetype=bar earliest=-14d latest=now
| eval period=if(_time>=relative_time(now(),"@d"), "Today","Older")
| stats values(period) as periods by user_id
| where mvcount(periods)=1 AND periods="Today"

How to determine that a field value is "new" on a given day

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!