I'm taking a shot at providing metrics on day 1 retention numbers of users in our system (Create a profile and the next day use server again).
I can grab a list of users and the _time they created their profile easily:
`sourcetype=Profile event=profile__create | table user _time`
I have a general server_log response event that will capture user activity:
`sourcetype=server_log event=RESPONSE | bucket _time span=1d | stats values(user) by _time`
So, how can I take the profile creation events, look forward a day of the event and see if there was activity by that user?
I've been working in this direction with a subsearch, but have unable to complete the query...
`sourcetype=server_log event=RESPONSE [search sourcetype=Profile event=profile__create | table user _time] | bucket _time span=1d | stats values(user) by _time `
Any advice/direction is greatly appreciated.
↧