Dashboards & Visualizations

How to compare savedsearch loadjob artifacts, and use in single value visual?

mjon395
Explorer

Most of my operations are based off of saved searches and these are saved a few times weekly or monthly.

The columns available should always align.

I tried to get the base SPL down so I could have an output with a table showing one column with result from offset=0 (current iteration), and another column with results from offset=1 (1 previous iteration), but I could not get this to work.  I was expecting the below:

Available ColumnsValue from Offset=0Value from Offset=1
# of hosts1000

955

 

As an example, the current query would look like this:

| loadjob artifact_offset=0 savedsearch="named_search" ```current week```

| loadjob artifact_offset=1 savedsearch="named_search" ```previous iteration```

Once the table gets figured out, I'm not sure how I could even use the data for a single value visualization, because it would need | timechart count to operate, but my "time" is the value from "artifact_offset"

So, 2 things:

  1. Any help with the table to visualize differences between 2 jobs based on artifact_offset?
  2. With that table, would it even be possible to use the outputs to populate the single value visual?

Any help here?  Or any other questions I need to answer?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could try this (although I don't know how much more efficient it would be)

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```]
| fillnull value=1 artifact_offset
| stats dc(hosts) as hosts by artifact_offset group_name

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

artifact_offset is not returned by loadjob so you will have to create it yourself - try something like this

| loadjob artifact_offset=0 savedsearch="named_search" ```current week```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search" ```previous iteration```
  | eval artifact_offset=1]
| stats dc(hosts) as hosts by artifact_offset

 

0 Karma

mjon395
Explorer

This seems to be working, thank you!

Brings me to a new question that I thought of after seeing it working.

When I append multiple saved searches together, what would be the best approach to making the new eval field?

For example (group_name exists in the savedsearches already):

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```
  | eval artifact_offset=1]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```
  | eval artifact_offset=1]
| stats dc(hosts) as hosts by artifact_offset group_name

 Is the above code the most efficient approach?  It would seem I need to add the artifact_offset eval after each "1 offset" for each group.

I can't do

[ append [ append [| loadjob artifact_offset=1 savedsearch="named_search_A"] [| loadjob artifact_offset=1 savedsearch="named_search_B"] | eval artifact_offset=1 ]

The 'append' command cannot be the first command in a search

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try this (although I don't know how much more efficient it would be)

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```]
| fillnull value=1 artifact_offset
| stats dc(hosts) as hosts by artifact_offset group_name
0 Karma

mjon395
Explorer

This is more efficient (I think) because I have ~40 saved searches, but yes; same results.

Thank you for all the help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...