Hi everyone!
So, I have this search:
index=XXXXX sourcetype=XXXXX earliest="$time_token.earliest$" latest="$time_token.latest$" NOT
[| inputlookup timestamped_users.csv
| where _time>=relative_time(now(), "$time_token.earliest$") AND _time<=relative_time(now(), "$time_token.latest$")
| rename "User IP" as src_ip]
| dedup src_ip sortby +_time
| rename src_ip as "User IP"
| table "User IP", "_time"
| stats dc("User IP") as "Returning Users"
| appendcols
[ search index=XXXXX sourcetype=XXXXX earliest="$time_token.earliest$" latest="$time_token.latest$" AND
[| inputlookup timestamped_users.csv
| where _time>=relative_time(now(), "$time_token.earliest$") AND _time<=relative_time(now(), "$time_token.latest$")
| rename "User IP" as src_ip]
| dedup src_ip sortby +_time
| rename src_ip as "User IP"
| table "User IP", "_time"
| stats dc("User IP") as "New Users"]
| transpose
| rename "row 1" as "Count" "column" as Field
My goal is to compare the unique IPs stored along with their timestamp (first login) in the timestamped_users.csv lookup to the unique IPs that have logged in over time in order to find out how many "new" and "returning" users there have been over a user specified time period. This could probably have been done in a better way, but bear with me. The time period to search over is specified by a custom time token. My problem surfaces whenever I run this search with any preset time token values e.g "All time", "Last 30 days" etc. For example, if I run the search with "All time" the $time_token.earliest$ and $time_token.latest$ is evaluated as "" and "", which in turn results in no output from the search. Also, if I run the search with "Last 30 days" which is evaluated as "now". This is not accepted properly by the relative_time() command, and so again the second part of the search returns nothing. Do you have any ideas as to how I could get the output I want? 🙂
... View more