Dashboards & Visualizations

How to execute a search for each day within a range

frostyflamez
Explorer

Here is the search I'm running:

index=cdb_summary source=CDM_*_Daily_Summary fismaid=* sourcetype=swam_summary OR sourcetype=hwam_summary
| stats sum(TotalManaged) as TotalApplicable,count(eval(AutoFail=="False")) as GoodAssets , sum(NotScanned) as NotScanned,values(FailedCPE) as FailedCPEs, count(FailedCPE) as FailedCPE
| eval SWAM_Score=round((TotalApplicable-NotScanned-FailedCPE)/TotalApplicable*100)

 

I'd like to get results from each day within a given timeframe to use for the ML Toolkit.  I've tried timewrap, but it returns no results. How can I get a search to run this query for each day in a given timeframe?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=cdb_summary source=CDM_*_Daily_Summary fismaid=* sourcetype=swam_summary OR sourcetype=hwam_summary
| bin span=1d _time
| stats sum(TotalManaged) as TotalApplicable,count(eval(AutoFail=="False")) as GoodAssets , sum(NotScanned) as NotScanned,values(FailedCPE) as FailedCPEs, count(FailedCPE) as FailedCPE by _time
| eval SWAM_Score=round((TotalApplicable-NotScanned-FailedCPE)/TotalApplicable*100)

View solution in original post

RetailOperation
Explorer

I am not sure if I understand your question right but if you want to have the results for just a timeframe of some days for example every day from 05:00 to 23:00 you can add somethin like that:

......| eval eventHour=strftime(_time,"%H") | search eventHour>5 AND eventHour<23

for whole days i would use:

| timchart span=%%

with the span you want to compare.

frostyflamez
Explorer

Currently the search gives a single row of data for whatever length of time I select. I want it to give a row for every day in the length of time I select so I can do some analysis with the numbers. 

I tried the timechart recommendation, and get the following errors:

Error in 'timechart' command: You must specify data field(s) to chart.
The search job has failed due to an error. You may be able view the job in the 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=cdb_summary source=CDM_*_Daily_Summary fismaid=* sourcetype=swam_summary OR sourcetype=hwam_summary
| bin span=1d _time
| stats sum(TotalManaged) as TotalApplicable,count(eval(AutoFail=="False")) as GoodAssets , sum(NotScanned) as NotScanned,values(FailedCPE) as FailedCPEs, count(FailedCPE) as FailedCPE by _time
| eval SWAM_Score=round((TotalApplicable-NotScanned-FailedCPE)/TotalApplicable*100)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...