All Apps and Add-ons

Is it possible to create a variable that would trigger if the daily count in a timechart dropped by 100?


For the timechart below, is there a way to create variable that would trigger if a daily count dropped by a hundred?

Example if East Florida count dropped from 807-799, is there a way to write an case statement that would show a 1?

index=cmdb Owner_Contact!="IS&O" Owner_Contact!="UNDEFINED LOCATION" Owner_Contact!="SM&D"|table Name Owner_Contact SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time | eval divown=case(Owner_Contact="Tristar" OR Owner_Contact="North Florida" OR Owner_Contact="East Florida" OR Owner_Contact="San Antonio" OR Owner_Contact="Healthtrust","John" , Owner_Contact="North Texas" OR Owner_Contact="Mid America" OR Owner_Contact="Central & West Texas" OR Owner_Contact="Far West" OR Owner_Contact="Mountain","Jase",Owner_Contact="Capital" OR Owner_Contact="West Florida" OR Owner_Contact="Continental" OR Owner_Contact="South Atlantic","David",1=1,"None")|search divown="John" |search Owner_Contact!="None"| timechart span=1d dc(Name) as "servers" by Owner_Contact|

_time   East Florida    Healthtrust North Florida   San Antonio Tristar
2017-01-03T00:00:00.000-0600    761 0   1232    809 889
2017-01-04T00:00:00.000-0600    807 0   1232    808 887
2017-01-05T00:00:00.000-0600    807 0   1232    808 888
2017-01-06T00:00:00.000-0600    806 0   1233    808 879
2017-01-07T00:00:00.000-0600    806 0   1233    808 879
2017-01-08T00:00:00.000-0600    0   0   0   0   0
2017-01-09T00:00:00.000-0600    810 20  1234    808 879
2017-01-10T00:00:00.000-0600    0   0   0   0   0
2017-01-11T00:00:00.000-0600    812 164 1232    833 876
0 Karma
1 Solution

Super Champion

try something like this:

...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*

View solution in original post

0 Karma

Super Champion

try something like this:

...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
0 Karma

Path Finder

try looking into streamstats which evaluates data in order rather than in aggregate. you would need to generate a table of count by time and by owner (similar to your timechart but im not sure you can use timechart) and then use a streamstats command to say something like "previousDay = last(coundDay)" which will generate a new field in each event equal to the value of countDay in the previous event. then check if it dropped by 100 or more between events using "eval dropTriggered = if(previousDay - countDay > 99,1,0)". it is important that you sort by time before sending the data through streamstats so that the "last" command references the events in the correct order (chronological)

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...