I do need the New and Dictinct users PER product...that is correct. So for example, I modified the query to limit it to a specific use "cgm" who I know logs into the system every day
index=bi "User cgm Logged" | eval Product=if(like(host,"agen%"),"Agency","Rate") | streamstats count as logincount global=false by OBIEE_USER_NAME | eval newuserevent=case(logincount=="1", 1) | timechart span=1d dc(OBIEE_USER_NAME) sum(newuserevent) by Product
What I see here is that the SUM(NEWUSERVENTS) show as 1 only for the most RECENT DAY...I would think it would show it for the "First" day. Is Splunk defaulting to the most recent as "NEW USER" for some reason.
Also..I only see the SUM(NewUserEvent) value for one of the Products...Rate..not the other (Agency). In certain cases a userid can be the same across the two products but most often these are distinct user sets.
Not sure if that makes sense.
... View more