Solved: How to generate a search that

svemurilv · ‎07-05-2017

I am looking for Unique users on my Splunk search head cluster
like :

like compare the users change percentage with previous month.

earliest=-60d@d latest=@d index=_audit  NOT user=splunk-system-user NOT user=admin| timechart span=30d dc(user)

thanks advance.

DalJeanis · ‎07-05-2017

Here's one way...

earliest=-6mon@mon latest=@mon index=_audit 
NOT user=splunk-system-user NOT user=admin
| bin _time span=1mon 
| stats dc(user) as UserCount by _time
| streamstats current=f last(UserCount) as PrevCount
| eval PctIncrease= if(isnull(PrevCount),"100%", tostring(floor(100*(UserCount-PrevCount)/PrevCount))."%")

View solution in original post

DalJeanis · ‎07-05-2017

Here's one way...

earliest=-6mon@mon latest=@mon index=_audit 
NOT user=splunk-system-user NOT user=admin
| bin _time span=1mon 
| stats dc(user) as UserCount by _time
| streamstats current=f last(UserCount) as PrevCount
| eval PctIncrease= if(isnull(PrevCount),"100%", tostring(floor(100*(UserCount-PrevCount)/PrevCount))."%")

How to generate a search that

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to generate a search that

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0