Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart to show the number of total events before filtering and number of filtered events

splunkbeginner
Engager
‎04-16-2020 06:36 PM

the search is like this:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi)

how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi))?

thanks for any help!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-17-2020 02:24 PM 
host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-17-2020 02:24 PM 
host=linux01 sourcetype="linux:audit"
| bin span=1d _time
| stats count as total count(eval(key="linux01_change" AND NOT comm IN (vi, rm, ls))) as filter by _time

but this is faster following:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search  host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechat span=1d count as filter]
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 06:39 PM

@to4kawa

it really helps. thank you.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎04-16-2020 08:41 PM

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" key="linux01_change" 
|timechart count as total,count(eval(!(match(comm,"vi")))) as not_vi

References :
https://docs.splunk.com/Documentation/Splunk/latest/Search/Usestatswithevalexpressionsandfunctions
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 03:42 AM

thx renjith.nair,

sorry for some missing info. The base search shall be:
host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

and the the number of total events wanted is (host=linux01 sourcetype="linux:audit"), not (host=linux01 sourcetype="linux:audit" key="linux01_change")

the number of filtered events wanted is host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)

i want the search to become sth like this:
host=linux01 sourcetype="linux:audit" | timechart count(host=linux01 sourcetype="linux:audit") as Total, count( host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls) ) as Filtered

could you fine tune the search? much appreciated.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎04-17-2020 05:50 AM

@splunkbeginner,

Try

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls) 
|stats max(TOTAL) as Total,count as filtered count
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

splunkbeginner
Engager
‎04-17-2020 07:12 AM

@renjith.nair,

much appreciated. there are some output.

if I want to use a timechart to show number of TOTAL and number of Filtered each day, the search will be like?

host=linux01 sourcetype="linux:audit" |eventstats count as TOTAL
|search key="linux01_change" NOT comm IN (vi, rm, ls)
|timechart span=1d TOTAL and filter???

Sorry for the trivial question again

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...