Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL

uagraw01
Motivator
‎09-27-2021 09:34 AM

Hello Splunkers!!

 

I want compare 30 days, 60 days and 90 days of data in Splunk on the basis of APP_ID. As i have written the below SPL for 30 days. Please let me know the quick and correct approach to write the SPL for the comparion three periods of data.

1. Should i use the join command and use the same kind of serach for 60 & 90 days ?

 

index="ito_snow" sourcetype=csv source="/opt/splunk/etc/apps/splunk_snow_tickets/bin/open_inc.sh" assignment_group="*" cmdb_ci=*
earliest=-30d
| rename cmdb_ci as Hostname state as incident_state number as Incident_Number
| join type=outer Hostname
[| inputlookup LocationMapping.csv
| search Type=MFG OR Type=Mfg ]
| join type=outer Hostname
[| inputlookup abc.csv
| search status="decom"
| eval Hostname=lower(trim(target,"*"))]
| join type=outer Hostname
[| inputlookup yzN.csv
| search SERVERS=*
| rename SERVERS as Hostname]
| where isnull(status) AND incident_state!="Resolved"
| search OneSourceCode="*"
| eval APP_ID=if(isnull(APP_ID),"Not Mapped",APP_ID), APP_NAME=if(isnull(APP_NAME),"Not Mapped",APP_NAME) , BU=if(isnull(BU),"Not Mapped",BU)
| eval APP_DETAILS = APP_NAME."(".APP_ID.")"
| table Incident_Number, BU, APP_DETAILS short_description, assignment_group,incident_state, Hostname, Location, OneSourceCode, Environment, Source, Type, , opened_at
| stats dc(Incident_Number) as "incident Count" by APP_DETAILS

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 12:44 PM

I think the easiest way (I'm not sure that it's the most effective one though) to obtain stats from various point in time is to add an incremental stats value using streamstats and then just filter out three points in time. Something like:

<<your_search>> | streamstats dc(Incident_Number) as "incident Count" by APP_DETAILS

Then you can do

| timechart span=30d latest("incident Count") by APP_DETAILS

Ths should be the easiest one because you don't need to use three different searches to calculate three distinct sets of values and then append them together (it's append, not join which you would want anyway).

 

0 Karma
Reply

andrew_m_streic
New Member
‎09-27-2021 09:53 AM

There are a couple of ways of doing this. I would recommend bring in all 90 days then aggregating it. You could use something like bin or bucket. You could also you something like rangemap to break it up into easy to find the 30 days groups easier. Another thing you could do would be something like an eval based on range something like eval 30d=(_time-now()/2678400)

0 Karma
Reply

uagraw01
Motivator
‎09-27-2021 10:17 AM

@Andrew i think rangemap will not work here.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...