topic Re: Help with timecharts in Splunk Search

Help with timecharts

cjohnson_vectra — Tue, 08 Mar 2016 19:06:15 GMT

New to splunk so aplogies if this question is not worded correctly. Trying to generate a view (sparkline?) that compares the cumulative value of events over a given period with the current value. I have a query in place the will show me the count of events that happened each day based on the defined time period:

index=* name="event type" | dedup src | timechart count

but now I want to generate a sparkline that compares the total count with the current value day's value. This will be presented in a single value field.

Re: Help with timecharts

somesoni2 — Tue, 08 Mar 2016 22:43:11 GMT

Could you provide more details on expected output?

Re: Help with timecharts

cjohnson_vectra — Wed, 09 Mar 2016 00:59:04 GMT

Actually, I think I over simplified my question which is why I am having such a hard time getting my arms around this problem. In my case, the "event type" is actually a state that can change at any given time. (i.e. machine x changed from state 'a' to state 'b')

So I just realized that part of my problem is that I am deduping which eliminates all events except for the final state change. This in combination of the idea that I am not keeping a running tally for each day, I don't see an easy way to track trends.

In the end, what I was hoping to accomplish was show trends in change in state over a period of time. I just need to rethink this a little.

Thanks for the response. Greatly appreciated.

Re: Help with timecharts

Richfez — Wed, 09 Mar 2016 01:40:12 GMT

Sure, that all sounds like fun. We may still be able to help if you could provide a few sample events - I think you are clear enough on your description above that with those two things a start could be made. Sometimes that's all it takes to get your own juices flowing...

Re: Help with timecharts

chimell — Wed, 09 Mar 2016 09:00:25 GMT

Hi
Try this search code

index=* name="event type" | dedup src | timechart count as Total_count|appendcols[search index=* name="event type" | dedup src | timechart span=1d count as daily_count]|eval diff=Total_count-daily_count|stats sparkline count(diff)

Re: Help with timecharts

cjohnson_vectra — Wed, 09 Mar 2016 19:02:43 GMT

Rich, here are a couple of event:

Mar 4 06:00:50 192.168.15.125 Mar 4 06:00:01 S14945214214616 - -: CEF:0|Vectra Networks|Vectra|2.3|hsc|Host Score Change|3|externalId=5084 cat=HOST SCORING shost=BThomas-Win7 src=192.168.111.3 dst=192.168.111.3 flexNumber1=84 flexNumber1Label=risk cs4=https://192.168.15.125/hosts/5084 cs4Label=URL start=1457100001073 end=1457100001073

Mar 4 03:00:50 192.168.15.125 Mar 4 03:00:01 S14945214214616 - -: CEF:0|Vectra Networks|Vectra|2.3|hsc|Host Score Change|3|externalId=5086 cat=HOST SCORING shost=WSmith_WinPC src=192.168.111.2 dst=192.168.111.2 flexNumber1=64 flexNumber1Label=risk cs4=https://192.168.15.125/hosts/5086 cs4Label=URL start=1457089201104 end=1457089201104