Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

count of events in dynamic time defined by token

spisiakmi
Contributor
‎09-18-2024 09:26 AM

Hi can anybody help with this problem, please?

source1: lookup Tab (lookup.csv)

att1 att2 att3

F1 1100 12.09.2024
F2 1100 23.04.2024
F3 1100 15.06.2024
F4 1100 16.03.2024

att1 is also in  index=myindex

I want to have in a table for all att1 from lookup.csv count of all events from index=myindex att1=$att1$ AND earliest=strptime($att3$, "%d.%m.%Y")

output:

att1 count(from myindex) att2 att3

F1 count 1100 12.09.2024
F2 count 1100 23.04.2024
F3 count 1100 15.06.2024
F4 count 1100 16.03.2024
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 11:58 PM

Hi @spisiakmi ,

let me understand:

do you want to put in an input both the att1 and att3 tokens or do you want to pass all the att1 and att3 values of the lookup?

in the first case, you have

at first to create in a dashboard a dropdown using a search like the following:

| inputlookup lookup.csv
| eval token=att1.",".att3
| dedup token
| sort token
| table token

passing by value the token to te following search.

Then run this search (in the same dashboard)

index=myindex [ | makeresults | rex field=$token$ "^(?<att1>[^,]+),(?<att3>.*)" | eval earliest=strptime(att3, "%d.%m.%Y") | fields att1 att3 ]
| ...

Ciao.

Giuseppe

0 Karma
Reply

spisiakmi
Contributor
‎09-19-2024 12:18 AM

Hi gcusello, thank you for your reply. In fact there should be a saved search running on daily basis.

Example:

for every row in lookup table should run a query.

index=myindex att1=F1 AND earliest=strptime("12.09.2024", "%d.%m.%Y")
| stats count as cnt

index=myindex att1=F2 AND earliest=strptime("23.04.2024", "%d.%m.%Y")
| stats count as cnt

index=myindex att1=F3 AND earliest=strptime("15.06.2024", "%d.%m.%Y")
| stats count as cnt

index=myindex att1=F4 AND earliest=strptime("16.03.2024", "%d.%m.%Y")
| stats count as cnt

result:
att1 cnt att2 att3
F1 234 1100 12.09.2024

F2 4235 1100 23.04.2024

F3 3763 1100 15.06.2024

F4 42314 1100 16.03.2024

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2024 12:27 AM

Hi @spisiakmi ,

ok, is the solution ok for you?

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply

spisiakmi
Contributor
‎09-19-2024 07:24 AM

Hi gcusello, thank you very much for supporting me. Unfortunately it is not, what I have to achieve.

1. I need saved search, so 1 query in fact.

2. your solution is using dropdown, where only 1 value is/can be chosen. I need to run a search through all elements of the token. Something like foreach item of the token, run query.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...