Reporting

chart the history of daily runs of a single-value search result

elenzil
Path Finder

HI!

I have a search which runs daily and results in a single number.

it looks more or less like:
search foo | dedup bar | stats count

I would love get a nice pretty chart of the result over say the last 90 days.

i could do something like this:
search foo | eval day=floor(_time/(60*60*24)) | dedup day bar | stats count by day

and run it over the time range i'm interested in (say 90 days),
but i'd really prefer not re-run this moderately expensive search on data it's already been run on.

any tips ?

also fwiw,
so far i've only used the web UI, and would prefer to stay in that space,
but if scripting is required, then maybe i'll have to go there.

tia,
Orion

0 Karma

Damien_Dallimor
Ultra Champion

Have a look at Summary Indexing

You could store the results of your daily search in a summary index, and then run your 90 day search against the summary index.Summary index data does not count towards your license consumption.

Damien_Dallimor
Ultra Champion

And just to offer an alternate to summary indexing ..... your chart could reference a scheduled search that counts "bar" per day over the last 90 days. Each time the chart loads it will use the results from the last time the scheduled search ran, rather than executing the search inline each time.

0 Karma

Damien_Dallimor
Ultra Champion

Schedule this search to run daily(included the time range in the search string, but you can also specify it when setting up the scheduled search) :

index=foo earliest=-1d@d latest=@d | bucket span=1d _time | stats count as "daily_count" by bar, _time

And send the results to a summary index :

summary_foobar_daily_count

And then every 90 days you can run a search on the summary index to give you a time based chart :

index=summary_index_daily_count earliest=-90d@d latest=@d | timechart span=1d first(daily_count) by bar

0 Karma

elenzil
Path Finder

so after reading the man page on indexed search results, i'm not entirely sure what i should make the search look like. my raw search is this: "search foo | rex (?) | eval epoch_day=floor(_time/(86400)) | dedup bar epoch_day | stats count by epoch_day" - should i stop at the dedup ? after the dedup ? should i add epoch_day as an output field of the summary index search ? any pointers tyty

0 Karma

elenzil
Path Finder

interesting, thanks. i'll give that a shot.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...