topic Re: Comparing the sourcetypes between certain period. in Getting Data In

Comparing the sourcetypes between certain period.

udayk1 — Tue, 13 May 2014 10:21:10 GMT

I have a concern here, the requirement for me is to get a list of sourcetypes which are not sending logs from last 1month (say) and I have tried to take the list of last month active sourcetypes and this month, post on which I would do a 'vlookup' in the excel.
Yes, I agree this is manual, but the comparison is possible n Splunk as a query?

Re: Comparing the sourcetypes between certain period.

MuS — Tue, 13 May 2014 10:51:44 GMT

Hi udayk1,

you can do this very easy in Splunk using the timewrap command. Take this run everywhere search command which compares the event counts for sourcetype=splunkd_access over the last 4 weeks:

index=_internal sourcetype=splunkd_access earliest=-3w@w | timechart count by sourcetype | timewrap w

Regarding your use case, a non-active sourcetype would be on this chart with count 0 if it stopped producing events within the last 4 weeks. If the sourcetype stopped 5 or 6 weeks ago you will have to extend the time range from weeks to month.

hope this helps to get you started ...

cheers, MuS

Re: Comparing the sourcetypes between certain period.

linu1988 — Mon, 28 Sep 2020 16:35:39 GMT

|metadata type=sourcetypes index=fmo*|where recentTime < now()-2592000|convert ctime(*Time)

before convert just use a where condition to check your requirement