Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Visualisation : Single Value with Trendline

syazwani
Path Finder
‎10-17-2021 09:53 PM

Hi,

Im trying to create a single value with trendline visualisation, where I want to compare the difference between todays result with yesterday results. The trendline should be the results difference of  yesterday and today. 

I have applied several solutions, but the total number does not tally with the today's result.

My base query is:

Spoiler
index=emailgateway action=* from!="" to!=""
| stats count

which result shown as (today result) :

BaseBase

Here are several solutions that I have tried:-

Solution 1

Im using the trendline wma2 

Spoiler
index=emailgateway action=* from!="" to!=""
| timechart span=1d count as Total
| trendline wma2("x") as Trend
| sort - _time

the result shown as below:

Solution 1Solution 1

- the result shows the trendline, but the total number (90,702) did not tally with today's result (227,019)

 

Solution 2

Im using the delta command :- 

Spoiler
index=emailgateway action=* from!="" to!=""
| timechart span=1d count as Total
| delta Total p=1 as diference

the result shown as below:
Solutyion 2.PNG
 - the total number is different (including the trendline number)

 


Solution 3

I tried to use the |tstats command (from Enterprise Security)

Spoiler
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where (All_Email.action=* AND All_Email.orig_dest!="" OR All_Email.orig_src!="") earliest=-48h latest=-24h
| append
[| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where (All_Email.action=* AND All_Email.orig_dest!="" OR All_Email.orig_src!="") earliest=-24h latest=now]
| appendcols
[| makeresults
| eval time=now()
]
| rename time AS _time

Solution 3Solution 3

- which also did not work

Can anyone help? Did i missed anything? Please.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Chef
Explorer
‎10-18-2021 10:14 PM

Hi syazwani,

What timeframes are you specifying for your searches? I suspect that's the reason why you're getting inconsistencies in your search. 

In your enterprise security search you're specifying a 24 hour time period:

earliest=-48h latest=-24h

Which will give you different results depending on the time you run it.

Try the following:

 Todays current total:

index=emailgateway action=* from!="" to!="" earliest=@d
| stats count

 

Compare yesterday and today:

index=emailgateway action=* from!="" to!="" earliest=-1d@d
| timechart span=1d count as total

 

Simpler tstats command:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where All_Email.action=* All_Email.orig_dest!="" All_Email.orig_src!="" earliest=-1d@d latest=now by _time span=1d

 

Using earliest=-1d@d will take the search back to the beginning of yesterday (12:00am). Whereas using earliest=@d will take you to the beginning of the current day.

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Chef
Explorer
‎10-18-2021 10:14 PM

Hi syazwani,

What timeframes are you specifying for your searches? I suspect that's the reason why you're getting inconsistencies in your search. 

In your enterprise security search you're specifying a 24 hour time period:

earliest=-48h latest=-24h

Which will give you different results depending on the time you run it.

Try the following:

 Todays current total:

index=emailgateway action=* from!="" to!="" earliest=@d
| stats count

 

Compare yesterday and today:

index=emailgateway action=* from!="" to!="" earliest=-1d@d
| timechart span=1d count as total

 

Simpler tstats command:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where All_Email.action=* All_Email.orig_dest!="" All_Email.orig_src!="" earliest=-1d@d latest=now by _time span=1d

 

Using earliest=-1d@d will take the search back to the beginning of yesterday (12:00am). Whereas using earliest=@d will take you to the beginning of the current day.

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

syazwani
Path Finder
‎10-19-2021 10:37 PM

Hi chef,

Yeah I messed up with the timeframes 🙂 Im using the comparison query and its working fine. Thankyou. This really helps me a lot. Thankyou again sir.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...