Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart to show the number of total events before filtering and number of filtered events

splunkbeginner
Engager
‎04-16-2020 06:36 PM

the search is like this:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi)

how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi))?

thanks for any help!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-17-2020 02:24 PM 
host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-17-2020 02:24 PM 
host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 06:39 PM

@to4kawa

it really helps. thank you.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎04-16-2020 08:41 PM

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" key="linux01_change" 
|timechart count as total,count(eval(!(match(comm,"vi")))) as not_vi

References :
https://docs.splunk.com/Documentation/Splunk/latest/Search/Usestatswithevalexpressionsandfunctions
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 03:42 AM

thx renjith.nair,

sorry for some missing info. The base search shall be:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

and the the number of total events wanted is (host=linux01 sourcetype="linux:audit"), not (host=linux01 sourcetype="linux:audit" key="linux01_change")

the number of filtered events wanted is host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

i want the search to become sth like this:
host=linux01 sourcetype="linux:audit" | timechart count(host=linux01 sourcetype="linux:audit") as Total, count( host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls) ) as Filtered

could you fine tune the search? much appreciated.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎04-17-2020 05:50 AM

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls) 
|stats max(TOTAL) as Total,count as filtered count
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 07:12 AM

@renjith.nair,

much appreciated. there are some output.

if I want to use a timechart to show number of TOTAL and number of Filtered each day, the search will be like?

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls)
|timechart span=1d TOTAL and filter???

Sorry for the trivial question again

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...