Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare savedsearch loadjob artifacts, and use in single value visual?

mjon395
Explorer
‎07-14-2022 09:14 AM

Most of my operations are based off of saved searches and these are saved a few times weekly or monthly.

The columns available should always align.

I tried to get the base SPL down so I could have an output with a table showing one column with result from offset=0 (current iteration), and another column with results from offset=1 (1 previous iteration), but I could not get this to work.  I was expecting the below:

Available ColumnsValue from Offset=0Value from Offset=1
# of hosts1000

955

 

As an example, the current query would look like this:

| loadjob artifact_offset=0 savedsearch="named_search" ```current week```

| loadjob artifact_offset=1 savedsearch="named_search" ```previous iteration```

Once the table gets figured out, I'm not sure how I could even use the data for a single value visualization, because it would need | timechart count to operate, but my "time" is the value from "artifact_offset"

So, 2 things:

  1. Any help with the table to visualize differences between 2 jobs based on artifact_offset?
  2. With that table, would it even be possible to use the outputs to populate the single value visual?

Any help here?  Or any other questions I need to answer?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 08:09 AM

You could try this (although I don't know how much more efficient it would be)

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```]
| fillnull value=1 artifact_offset
| stats dc(hosts) as hosts by artifact_offset group_name

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2022 10:11 AM

artifact_offset is not returned by loadjob so you will have to create it yourself - try something like this

| loadjob artifact_offset=0 savedsearch="named_search" ```current week```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search" ```previous iteration```
  | eval artifact_offset=1]
| stats dc(hosts) as hosts by artifact_offset

 

0 Karma
Reply
Solved! Jump to solution

mjon395
Explorer
‎07-15-2022 07:55 AM

This seems to be working, thank you!

Brings me to a new question that I thought of after seeing it working.

When I append multiple saved searches together, what would be the best approach to making the new eval field?

For example (group_name exists in the savedsearches already):

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```
  | eval artifact_offset=1]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```
  | eval artifact_offset=1]
| stats dc(hosts) as hosts by artifact_offset group_name

 Is the above code the most efficient approach?  It would seem I need to add the artifact_offset eval after each "1 offset" for each group.

I can't do

[ append [ append [| loadjob artifact_offset=1 savedsearch="named_search_A"] [| loadjob artifact_offset=1 savedsearch="named_search_B"] | eval artifact_offset=1 ]

The 'append' command cannot be the first command in a search

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 08:09 AM

You could try this (although I don't know how much more efficient it would be)

| loadjob artifact_offset=0 savedsearch="named_search_A" ```current week for A group```
| append [| loadjob artifact_offset=0 savedsearch="named_search_B"] ```current week for B group```
| eval artifact_offset=0
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_A" ```previous iteration for A group```]
| append
  [| loadjob artifact_offset=1 savedsearch="named_search_B" ```previous iteration for B group```]
| fillnull value=1 artifact_offset
| stats dc(hosts) as hosts by artifact_offset group_name
0 Karma
Reply
Solved! Jump to solution

mjon395
Explorer
‎07-15-2022 08:23 AM

This is more efficient (I think) because I have ~40 saved searches, but yes; same results.

Thank you for all the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...