Reporting

Incremental saved report

eranday
New Member

Turning to the wisdom of the Splunkers,

I have an event called "station status" that basically sends on a daily basis operational info about my stations.

I would like to build a saved report (or any other solution) that holds the most updated event for each station and looking for suggestions on how to approach this.

Please consider:
1. The report can be updated between 3 to 6 times a day
2. I don't want to hold old events from a station. Meaning, if new info arrives regarding a station, it should delete or update the old data.

Thanks in advance,
Eran

Tags (2)
0 Karma
1 Solution

CarsonZa
Contributor

if im understanding correctly you could run a scheduled report that overwrites a lookup with the current status. Then you have second report/dashboard that calls that lookup file, thus the oldest data would be the time in between your scheduled searches.

so have scheduled report that runs every 15 minutes or so. That outputs the status of each station like so.

station1, up
station2, down
station3, up

because you are overwriting the lookup on each run the status will always be current and you wont have to manipulate any of the data.

View solution in original post

CarsonZa
Contributor

if im understanding correctly you could run a scheduled report that overwrites a lookup with the current status. Then you have second report/dashboard that calls that lookup file, thus the oldest data would be the time in between your scheduled searches.

so have scheduled report that runs every 15 minutes or so. That outputs the status of each station like so.

station1, up
station2, down
station3, up

because you are overwriting the lookup on each run the status will always be current and you wont have to manipulate any of the data.

eranday
New Member

Thank you @CarsonZa for your detail answer.
I've might have missed an important fact.
We might not receive status from some stations for days (the station is shut down or lack of internet connection).

The reason I'm pointing this now is, that from your solution, I understand that my scheduled report will need to run over all time (in order to catch stations that stopped reporting).

Does this make sense? Am I missing something?
Thanks again, your effort is most appreciated.

Eran

0 Karma

CarsonZa
Contributor

it doesn't have to run over all time. you would just have to build in some logic to your search. My personal opinion is if the search doesn't return any results for a particular station then that station is down (whether it actually is or not). so you have to have some if statements in your search to add the entry to your lookup. which is what @skoelpin was referring to

0 Karma

eranday
New Member

thank you @CarsonZa & @skoelpin!!
this was very helpful.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Feel free to upvote if this helped

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is the way to go. The only thing to consider is when the data is null and the | outputlookup overwrites the existing table with a null result which will cause the lookup table to be null. Easy fix with a pre-processing step

0 Karma

jplumsdaine22
Influencer

That should be fairly straightforward. What have you already tried? The parts you're getting stuck on will be greatly illuminating as the answers to your questions are going to be "it depends" without more information on the structure of your events and how frequently they come in.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...