Solved: Re: timechart to show the number of total events b...

splunkbeginner · ‎04-16-2020

the search is like this:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi)

how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi))?

thanks for any help!

to4kawa · ‎04-17-2020

host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]

View solution in original post

to4kawa · ‎04-17-2020

host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]

splunkbeginner · ‎04-17-2020

@to4kawa

it really helps. thank you.

renjith_nair · ‎04-16-2020

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" key="linux01_change" 
|timechart count as total,count(eval(!(match(comm,"vi")))) as not_vi

References :
https://docs.splunk.com/Documentation/Splunk/latest/Search/Usestatswithevalexpressionsandfunctions
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

---
What goes around comes around. If it helps, hit it with Karma 🙂

splunkbeginner · ‎04-17-2020

thx renjith.nair,

sorry for some missing info. The base search shall be:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

and the the number of total events wanted is (host=linux01 sourcetype="linux:audit"), not (host=linux01 sourcetype="linux:audit" key="linux01_change")

the number of filtered events wanted is host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

i want the search to become sth like this:
host=linux01 sourcetype="linux:audit" | timechart count(host=linux01 sourcetype="linux:audit") as Total, count( host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls) ) as Filtered

could you fine tune the search? much appreciated.

renjith_nair · ‎04-17-2020

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls) 
|stats max(TOTAL) as Total,count as filtered count

---
What goes around comes around. If it helps, hit it with Karma 🙂

splunkbeginner · ‎04-17-2020

@renjith.nair,

much appreciated. there are some output.

if I want to use a timechart to show number of TOTAL and number of Filtered each day, the search will be like?

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls)
|timechart span=1d TOTAL and filter???

Sorry for the trivial question again

timechart to show the number of total events before filtering and number of filtered events

timechart

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?