Splunk Search

Reading in a list of username, counting them and create comparison to previous month

johnquinn
Explorer

I need to read in a file of exchange mailboxes and usernames/accounts, provide the total number of mailboxes, usernames/accounts and compare that number to the count from the previous month and show a graph with the new mailboxes/counts. We have extracted the information using powershell and have imported the info, just not sure how to count the names and provide the comparison, any help is appreciated.

0 Karma

johnquinn
Explorer

Thank you @cmerriman, niketnilay amd MuS. I cannot attach (not enough points) but included content from may one from june.

>>>>May>>>>>>
Name                                    WhenCreated                             WhenCreatedUTC                         
----                                    -----------                             --------------                         
George Jones                      4/6/2009 8:39:33 AM                     4/6/2009 1:39:33 PM                    
Dan Smith                             11/28/2011 3:17:23 PM                   11/28/2011 9:17:23 PM                  
Kathy Smoke                           05/01/2017 8:14:42 AM                   05/01/2017 8:14:42 AM                   
Jeffrey Everest                       7/22/2010 12:32:00 PM                   7/22/2010 5:32:00 PM                   

1 new users
1 removed users
4 total users
>>>>>>>may>>

>>>june>>>
Name                                    WhenCreated                             WhenCreatedUTC                         
----                                    -----------                             --------------                         
George Jones                      4/6/2009 8:39:33 AM                     4/6/2009 1:39:33 PM                    
Dan Smith                             11/28/2011 3:17:23 PM                   11/28/2011 9:17:23 PM                  
Jeffrey Everest                       7/22/2010 12:32:00 PM                   7/22/2010 5:32:00 PM                   
Kathy Smoke                           05/01/2017 8:14:42 AM                   05/01/2017 8:14:42 AM
Bill Hope                 06/01/2017 3:17:23 PM                   06/01/2017 3:17:23 PM 

1 new users
0 removed users
5 total users
<<<>>
0 Karma

somesoni2
Revered Legend

Is the data ingested in Splunk? If yes, how does it look in Splunk (each line is separate events OR one block for each month or anything else)?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This trivial example assumes: that you have loaded the data from both files into index foo, with source bar; that the events have a _time as/of the date of pull or that if you use the date of load that you load the files within the calendar month; that you don't care to know exactly how many were added or deleted, just what the number was; ... and I guess that's it.

index=foo source=bar 
| bin _time span=1mon
| stats count by _time
0 Karma

cmerriman
Super Champion

can you provide a sample of the data you're working with?

Have you tried to use the timewrap app to complete this month over month comparison?

MuS
SplunkTrust
SplunkTrust

Just in case, here is the link to the app https://splunkbase.splunk.com/app/1645/

0 Karma

niketnilay
Legend

While Timewrap App might not be supported for newer version of Splunk, timwrap command is available in SPL itself from Splunk Enterprise 6.5 onward: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

However, as per @cmerriman, do provide some sample data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!