Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I write a search to create a cohort-like table view?

jbranislav
Explorer
‎08-11-2015 04:41 AM

Hi,

I'm trying to create cohort "like" table view. Cohort "like" because I have two searches that I want to execute:
1. get me all new users in specific time frame (with one variant in summing them up)
2. get me from those users how many time they did appear again in next months (with another variant of summing them up)

I did manage to get all data with one subsearch, but I can't plot it on table or any graph. Simple join would not work since it will overwrite eval data and I need eval data in the subsearch to actually get a number that I want to show. What I need is to show data as:

      jan  feb  mar  aprl
jan    10   8    4    2
feb        10    6    4
mar             10    5

Or the other way around. Since I have all data in my events, I don't know how to display data in this fashion for multiple months, but I can do it for one month only.

I also have date in accelerated data model but i could not think any thing with that also. Since Splunk have a lot's of statistical command, is there any simple solution for cohort or i need to do lot's of subsearches?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-14-2015 08:01 PM

I think maybe you need the contingency command:

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/contingency

0 Karma
Reply

jbranislav
Explorer
‎08-17-2015 12:23 AM

That is not what i need. As you can see in example:
Jan - number of started user minus number of unsubscribed to get total number
Feb - of those who started in Jan get number who continued and minus number who unsubscribed... and like that to other march, april...
Feb - also start from beginning - number of registered in Feb minus number of unsubscribed......

Contingency builds a contingency table for two fields - i need on both axis time and to show sum of some counter in the middle.

In short i was hoping for command that will take one defined group of data and show me movements of that group over time - but for every month as start point in my time range.

Something like: http://www.r-bloggers.com/cohort-analysis-with-r-retention-charts/

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 02:36 PM

If you can do it for one month then you should be able to overlap adjacent months using the Timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Reply

jbranislav
Explorer
‎08-11-2015 11:19 PM

Will not work. I need users in one month (with specific evals and calculations) then go trough months with those users with other calculations.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...