Hello all,
I have created a form in Splunk that our Infra team uses to attest that they have conducted their daily system checks. Seems all the input side is working well now. The next challenge is pulling those daily audits to a search for displaying to management that we worker bees are busy.
I have the following search working, but it always pulls ALL the data in the .csv lookup vice just the current day.
| inputlookup DailyCheck.csv | stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType
Which result in:
_
time Administrator CheckPerformed CheckStatus CheckType count
2018-04-24 07:53:05 Alvarez, Osie Splunk Complete, No Issues noted Daily 1
2018-04-24 07:51:28 Alliman, Jen Satellite Complete, No Issues noted Daily 1
2018-04-24 07:49:38 Coldwell, Tony Satellite Complete, No Issues noted Daily 1
2018-04-23 11:05:48 Coldwell, Tony Satellite Complete, No Issues noted Daily 1
2018-04-23 10:54:58 Gonzo, Barney Virtualization Complete, No Issues noted Daily 1
2018-04-23 10:54:52 Gonzo, Barney Complete, No Issues noted Daily 1
How on earth can I pull just the "Today" values from the lookup in my search so I can put it on managements dashboard?
P.S. Names have been changed to protect the probably innocent.
Many, many thanks!
Barry
The inputlookup command has no effect of selected time range, so you would need to specify the time base filter in your search string, like this
| inputlookup DailyCheck.csv | where _time>=relative_time(now(),"@d")| stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType
The relative_time(now(),"@d")
gives time of start of the day today. The where condition can be updated to fetch records for appropriate time range. (e.g. for just yesterday, your where clause would be:
| where _time>=relative_time(now(),"-1d@d") AND _time<relative_time(now(),"@d")
The inputlookup command has no effect of selected time range, so you would need to specify the time base filter in your search string, like this
| inputlookup DailyCheck.csv | where _time>=relative_time(now(),"@d")| stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType
The relative_time(now(),"@d")
gives time of start of the day today. The where condition can be updated to fetch records for appropriate time range. (e.g. for just yesterday, your where clause would be:
| where _time>=relative_time(now(),"-1d@d") AND _time<relative_time(now(),"@d")
Somesoni2,
You are a very helpful person that just got me over a weeklong hurdle!
Many, many thanks!
Barry
Can I ask a bonus question? I read your percentage posts and have been trying most of the day to do something similar.
Trying to convert the outcome of CheckStatus="Complete*" to a percentage. There are 12 daily checks, which I normally manually divide the Complete by 12 and get my percentage. Trying to get Splunk to automate this action.
Here's my search:
| inputlookup GenAtomicsCheck.csv | where _time>=relative_time(now(),"@d") | search CheckStatus="Complete*" | chart count AS Completed