I need to read in a file of exchange mailboxes and usernames/accounts, provide the total number of mailboxes, usernames/accounts and compare that number to the count from the previous month and show a graph with the new mailboxes/counts. We have extracted the information using powershell and have imported the info, just not sure how to count the names and provide the comparison, any help is appreciated.
Thank you @cmerriman, niketnilay amd MuS. I cannot attach (not enough points) but included content from may one from june.
>>>>May>>>>>>
Name WhenCreated WhenCreatedUTC
---- ----------- --------------
George Jones 4/6/2009 8:39:33 AM 4/6/2009 1:39:33 PM
Dan Smith 11/28/2011 3:17:23 PM 11/28/2011 9:17:23 PM
Kathy Smoke 05/01/2017 8:14:42 AM 05/01/2017 8:14:42 AM
Jeffrey Everest 7/22/2010 12:32:00 PM 7/22/2010 5:32:00 PM
1 new users
1 removed users
4 total users
>>>>>>>may>>
>>>june>>>
Name WhenCreated WhenCreatedUTC
---- ----------- --------------
George Jones 4/6/2009 8:39:33 AM 4/6/2009 1:39:33 PM
Dan Smith 11/28/2011 3:17:23 PM 11/28/2011 9:17:23 PM
Jeffrey Everest 7/22/2010 12:32:00 PM 7/22/2010 5:32:00 PM
Kathy Smoke 05/01/2017 8:14:42 AM 05/01/2017 8:14:42 AM
Bill Hope 06/01/2017 3:17:23 PM 06/01/2017 3:17:23 PM
1 new users
0 removed users
5 total users
<<<>>
Is the data ingested in Splunk? If yes, how does it look in Splunk (each line is separate events OR one block for each month or anything else)?
This trivial example assumes: that you have loaded the data from both files into index foo, with source bar; that the events have a _time as/of the date of pull or that if you use the date of load that you load the files within the calendar month; that you don't care to know exactly how many were added or deleted, just what the number was; ... and I guess that's it.
index=foo source=bar
| bin _time span=1mon
| stats count by _time
can you provide a sample of the data you're working with?
Have you tried to use the timewrap app to complete this month over month comparison?
Just in case, here is the link to the app https://splunkbase.splunk.com/app/1645/
While Timewrap App might not be supported for newer version of Splunk, timwrap command is available in SPL itself from Splunk Enterprise 6.5 onward: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap
However, as per @cmerriman, do provide some sample data.