Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Comparison for use with a trend line

bworrellZP
Communicator
‎01-11-2018 04:37 AM

I am trying to compare daily failed logins for a web app. The initial ask was they wanted to know how many failed Yesterday, as compared with the day before. Racking my head around the search, as no matter what I do, I seem to also get todays failed logins, which then does not show yesterday and the day before, but rather today and yesterday.

(index=web1 OR index=web2) AND LoginStatus=Failed
| stats first(*) as * by LoginAttemptID, index, _time
| table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus | eval earliestTime = relative_time(now(),"-2d@d")
| eval latestTime = relative_time(now(),"-0@d")
| where _time>=earliestTime AND _time<=latestTime
| timechart count as Total span="1d" fixedrange=false

I am sure its something silly, but any help is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎01-11-2018 04:52 AM

can you just put the earliest and latest into the base search?

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d@d latest=@d| stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus  | timechart count as Total span="1d" fixedrange=false

you could also try to use timewrap. | timechart count as Total span="1d" fixedrange=false|timewrap 1d

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

View solution in original post

Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-11-2018 04:56 AM

hey try this

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d | stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus | timechart count span=1d | timewrap d | rename latest_day as today 1day_before as yesterday 2days_before as day_before_yesterday

let me know if this helps you!

Reply
Solved! Jump to solution

bworrellZP
Communicator
‎01-11-2018 06:30 AM

This option still listed today in the list. Thank you for the suggestion though

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-11-2018 06:35 AM

oh then you do not need to use timewrap i thought you wanted to compare 3 days data so i put together all three 🙂 just use timechart as suggested by @cmerriman will also do!

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎01-11-2018 04:52 AM

can you just put the earliest and latest into the base search?

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d@d latest=@d| stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus  | timechart count as Total span="1d" fixedrange=false

you could also try to use timewrap. | timechart count as Total span="1d" fixedrange=false|timewrap 1d

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

Reply
Solved! Jump to solution

bworrellZP
Communicator
‎01-11-2018 06:31 AM

This worked, without the need for the timewrap. Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...