Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Is it possible to create a variable that would tri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the timechart below, is there a way to create variable that would trigger if a daily count dropped by a hundred?
Example if East Florida count dropped from 807-799, is there a way to write an case statement that would show a 1?
index=cmdb Owner_Contact!="IS&O" Owner_Contact!="UNDEFINED LOCATION" Owner_Contact!="SM&D"|table Name Owner_Contact SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time | eval divown=case(Owner_Contact="Tristar" OR Owner_Contact="North Florida" OR Owner_Contact="East Florida" OR Owner_Contact="San Antonio" OR Owner_Contact="Healthtrust","John" , Owner_Contact="North Texas" OR Owner_Contact="Mid America" OR Owner_Contact="Central & West Texas" OR Owner_Contact="Far West" OR Owner_Contact="Mountain","Jase",Owner_Contact="Capital" OR Owner_Contact="West Florida" OR Owner_Contact="Continental" OR Owner_Contact="South Atlantic","David",1=1,"None")|search divown="John" |search Owner_Contact!="None"| timechart span=1d dc(Name) as "servers" by Owner_Contact|
_time East Florida Healthtrust North Florida San Antonio Tristar
2017-01-03T00:00:00.000-0600 761 0 1232 809 889
2017-01-04T00:00:00.000-0600 807 0 1232 808 887
2017-01-05T00:00:00.000-0600 807 0 1232 808 888
2017-01-06T00:00:00.000-0600 806 0 1233 808 879
2017-01-07T00:00:00.000-0600 806 0 1233 808 879
2017-01-08T00:00:00.000-0600 0 0 0 0 0
2017-01-09T00:00:00.000-0600 810 20 1234 808 879
2017-01-10T00:00:00.000-0600 0 0 0 0 0
2017-01-11T00:00:00.000-0600 812 164 1232 833 876
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try looking into streamstats which evaluates data in order rather than in aggregate. you would need to generate a table of count by time and by owner (similar to your timechart but im not sure you can use timechart) and then use a streamstats command to say something like "previousDay = last(coundDay)" which will generate a new field in each event equal to the value of countDay in the previous event. then check if it dropped by 100 or more between events using "eval dropTriggered = if(previousDay - countDay > 99,1,0)". it is important that you sort by time before sending the data through streamstats so that the "last" command references the events in the correct order (chronological)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
