Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I write a search to create a cohort-like table view?

jbranislav
Explorer
‎08-11-2015 04:41 AM

Hi,

I'm trying to create cohort "like" table view. Cohort "like" because I have two searches that I want to execute:
1. get me all new users in specific time frame (with one variant in summing them up)
2. get me from those users how many time they did appear again in next months (with another variant of summing them up)

I did manage to get all data with one subsearch, but I can't plot it on table or any graph. Simple join would not work since it will overwrite eval data and I need eval data in the subsearch to actually get a number that I want to show. What I need is to show data as:

      jan  feb  mar  aprl
jan    10   8    4    2
feb        10    6    4
mar             10    5

Or the other way around. Since I have all data in my events, I don't know how to display data in this fashion for multiple months, but I can do it for one month only.

I also have date in accelerated data model but i could not think any thing with that also. Since Splunk have a lot's of statistical command, is there any simple solution for cohort or i need to do lot's of subsearches?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-14-2015 08:01 PM

I think maybe you need the contingency command:

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/contingency

0 Karma
Reply

jbranislav
Explorer
‎08-17-2015 12:23 AM

That is not what i need. As you can see in example:
Jan - number of started user minus number of unsubscribed to get total number
Feb - of those who started in Jan get number who continued and minus number who unsubscribed... and like that to other march, april...
Feb - also start from beginning - number of registered in Feb minus number of unsubscribed......

Contingency builds a contingency table for two fields - i need on both axis time and to show sum of some counter in the middle.

In short i was hoping for command that will take one defined group of data and show me movements of that group over time - but for every month as start point in my time range.

Something like: http://www.r-bloggers.com/cohort-analysis-with-r-retention-charts/

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 02:36 PM

If you can do it for one month then you should be able to overlap adjacent months using the Timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Reply

jbranislav
Explorer
‎08-11-2015 11:19 PM

Will not work. I need users in one month (with specific evals and calculations) then go trough months with those users with other calculations.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...