Is it possible to find the earliest time for all users over all time. Then do a distinct count of users by month using the earliest time as _time, therefore resulting in the distinct count of new users per month?
I don't really want to do the lookup state of the world method. I need to end up with a table : _time "Users" (where Users = new users and _time is by month) I can append this in another search and create some calculated metrics using eval.
I would look at my app, Search Activity, for help with this type of thing. You could easily run
| tstats min(_time) as _time from `SA_Events` groupby user | timechart count
and leverage the accelerated store.
To do this with raw events, I would go for:
index=_audit user action login attempt info=succeeded user=* | stats min(_time) as _time by user | timechart count
I would look at my app, Search Activity, for help with this type of thing. You could easily run
| tstats min(_time) as _time from `SA_Events` groupby user | timechart count
and leverage the accelerated store.
To do this with raw events, I would go for:
index=_audit user action login attempt info=succeeded user=* | stats min(_time) as _time by user | timechart count
Thanks, managed to get it to work wit the following post but will check out the app.
http://answers.splunk.com/answers/229349/can-i-use-an-extracted-date-field-as-my-time-for-m.html