All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change in total log volume

ntalwar
New Member
‎12-13-2017 03:20 PM

How do I find the Change in total log volume (high risk rule or high risk source/destination) on every Monday 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-15-2018 03:15 AM

@ntalwar, while you can do it only for Monday, but if you are comparing current day to last week same day that would be better. You can refer to the following blog for the same: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

You also have a look at the Timewrap command introduced in Splunk 6.5 onward.

Try the following run anywhere dashboard (please note that commands like append and appendcols are subject to Sub Search limitations:

<dashboard>
  <label>Today vs Last Week Same Day</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR" earliest=-0d@d latest=now
| timechart count as Today
| appendcols [search index=_internal sourcetype=splunkd log_level!="INFO" earliest=-7d@d latest=-7d@s
| timechart count as LastWeek]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">1</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">LastWeek</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-15-2018 03:15 AM

@ntalwar, while you can do it only for Monday, but if you are comparing current day to last week same day that would be better. You can refer to the following blog for the same: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

You also have a look at the Timewrap command introduced in Splunk 6.5 onward.

Try the following run anywhere dashboard (please note that commands like append and appendcols are subject to Sub Search limitations:

<dashboard>
  <label>Today vs Last Week Same Day</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR" earliest=-0d@d latest=now
| timechart count as Today
| appendcols [search index=_internal sourcetype=splunkd log_level!="INFO" earliest=-7d@d latest=-7d@s
| timechart count as LastWeek]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">1</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">LastWeek</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-14-2018 02:41 AM

hey @ntalwar

If you want to compare only monday's data with the previous monday's data you can try..

<your_base_Search> date_wday="monday"  | eval WeekNumber=strftime(_time, "%v") | stats count as log_volume by WeekNumber | sort- WeekNumber

you will get output like this-
WeekNumber | count
1-Jan-2018 | 4250
8-Jan-2018 | 11583

let me know if this helps you!

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-14-2018 02:44 AM

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-12-2018 04:57 PM

@ntalwar, for the community to assist please add more details to your question. What is the kind of log you are monitoring (any specific Splunk App or is it Custom)? What do you mean by high risk rule, source/destination? Also on every Monday compared to what Sunday or previous Monday?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ntalwar
New Member
‎01-13-2018 11:45 AM

I am monitoring the Palo Alto firewall logs and would like to calculate the change in volume of log on Monday as compared to previous Monday(I can add in source and destination IP for finding the change in volume in context to them)

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎12-13-2017 05:45 PM

It is not displayed on the launcher.Please check with "Manage Apps".

alt text

a.jpg
Preview file
17 KB
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-12-2018 04:59 PM

@HiroshiSatoh, I have converted your Answer to comment so that this question flags as unanswered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top