Solved: Re: New users per month

DanielFordWA · ‎07-17-2015

Is it possible to find the earliest time for all users over all time. Then do a distinct count of users by month using the earliest time as _time, therefore resulting in the distinct count of new users per month?

I don't really want to do the lookup state of the world method. I need to end up with a table : _time "Users" (where Users = new users and _time is by month) I can append this in another search and create some calculated metrics using eval.

David · ‎07-17-2015

I would look at my app, Search Activity, for help with this type of thing. You could easily run

| tstats min(_time) as _time from `SA_Events` groupby user  | timechart count

and leverage the accelerated store.

To do this with raw events, I would go for:

index=_audit user action login attempt info=succeeded user=*  | stats min(_time) as _time by user | timechart count

View solution in original post

David · ‎07-17-2015

I would look at my app, Search Activity, for help with this type of thing. You could easily run

| tstats min(_time) as _time from `SA_Events` groupby user  | timechart count

and leverage the accelerated store.

To do this with raw events, I would go for:

index=_audit user action login attempt info=succeeded user=*  | stats min(_time) as _time by user | timechart count

DanielFordWA · ‎07-17-2015

Thanks, managed to get it to work wit the following post but will check out the app.

http://answers.splunk.com/answers/229349/can-i-use-an-extracted-date-field-as-my-time-for-m.html

New users per month

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability