topic Splunk comparison search in Splunk Search

Splunk comparison search

astatrial — Mon, 22 Jul 2019 11:37:50 GMT

Hello,
I have difficulties with creating a comparison chart for the next data structure:

search         Count              Date
_________________________________________
check1           5             07/5/2019       
check2           3             07/5/2019
check3           6             07/5/2019
check1           7             07/6/2019
check2           12            07/6/2019
check3           2             07/6/2019

This is an example for the structure. There can be more dates.

What i am trying to achieve is a line chart by search, that every line will represent a search and there will be a time line by the date value.

To be clearer, the X axis will be the date, and the y axis will be the count.

Can anyone assist me with this ?

The data is coming from a lookup file.

Re: Splunk comparison search

adonio — Mon, 22 Jul 2019 11:55:06 GMT

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

Re: Splunk comparison search

astatrial — Mon, 22 Jul 2019 12:44:27 GMT

Your solution is a bit problematic, because the number of searches is changing.

Re: Splunk comparison search

adonio — Mon, 22 Jul 2019 12:50:24 GMT

how come? the split with by clause will take as many searches under that field

Re: Splunk comparison search

astatrial — Mon, 22 Jul 2019 13:20:26 GMT

I don't see split with by.
But maybe you can help me with another idea i had.
Instead of this, i want to calculate the difference between the two most recent searches by search.
So if i had another date of 7/7/2019 it would calculate the difference between every count value of every search between the 7/7/2019 and the 7/6/2019

Re: Splunk comparison search

adonio — Mon, 22 Jul 2019 13:34:27 GMT

try this:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019;;;check1,15,07/7/2019;;;check2,13,07/7/2019;;;check3,26,07/7/2019;;;check1,17,07/8/2019;;;check2,22,07/8/2019;;;check3,9,07/8/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| streamstats current=f global=false window=2 last(COUNT) as previous_count by search
| eval delta = COUNT - previous_count

Re: Splunk comparison search

astatrial — Mon, 22 Jul 2019 18:54:51 GMT

Thanks for your help,
I understand now what you have tried to do in the first solution.
It doesn't work for some reason.
The second solution worked fine, but i need only the last date rows (max date). I will try to solve it, but if you know how to do it, that will be great.

Re: Splunk comparison search

astatrial — Mon, 22 Jul 2019 19:01:11 GMT

I added this to the second solution eventually -
| eventstats max(date) as date
| where date = maxdate