- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Reading in a list of username, counting them a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reading in a list of username, counting them and create comparison to previous month
I need to read in a file of exchange mailboxes and usernames/accounts, provide the total number of mailboxes, usernames/accounts and compare that number to the count from the previous month and show a graph with the new mailboxes/counts. We have extracted the information using powershell and have imported the info, just not sure how to count the names and provide the comparison, any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @cmerriman, niketnilay amd MuS. I cannot attach (not enough points) but included content from may one from june.
>>>>May>>>>>>
Name WhenCreated WhenCreatedUTC
---- ----------- --------------
George Jones 4/6/2009 8:39:33 AM 4/6/2009 1:39:33 PM
Dan Smith 11/28/2011 3:17:23 PM 11/28/2011 9:17:23 PM
Kathy Smoke 05/01/2017 8:14:42 AM 05/01/2017 8:14:42 AM
Jeffrey Everest 7/22/2010 12:32:00 PM 7/22/2010 5:32:00 PM
1 new users
1 removed users
4 total users
>>>>>>>may>>
>>>june>>>
Name WhenCreated WhenCreatedUTC
---- ----------- --------------
George Jones 4/6/2009 8:39:33 AM 4/6/2009 1:39:33 PM
Dan Smith 11/28/2011 3:17:23 PM 11/28/2011 9:17:23 PM
Jeffrey Everest 7/22/2010 12:32:00 PM 7/22/2010 5:32:00 PM
Kathy Smoke 05/01/2017 8:14:42 AM 05/01/2017 8:14:42 AM
Bill Hope 06/01/2017 3:17:23 PM 06/01/2017 3:17:23 PM
1 new users
0 removed users
5 total users
<<<>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data ingested in Splunk? If yes, how does it look in Splunk (each line is separate events OR one block for each month or anything else)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This trivial example assumes: that you have loaded the data from both files into index foo, with source bar; that the events have a _time as/of the date of pull or that if you use the date of load that you load the files within the calendar month; that you don't care to know exactly how many were added or deleted, just what the number was; ... and I guess that's it.
index=foo source=bar
| bin _time span=1mon
| stats count by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide a sample of the data you're working with?
Have you tried to use the timewrap app to complete this month over month comparison?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case, here is the link to the app https://splunkbase.splunk.com/app/1645/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While Timewrap App might not be supported for newer version of Splunk, timwrap command is available in SPL itself from Splunk Enterprise 6.5 onward: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap
However, as per @cmerriman, do provide some sample data.
| makeresults | eval message= "Happy Splunking!!!"
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
