Splunk Enterprise Security

Visualisation : Single Value with Trendline

syazwani
Path Finder

Hi,

Im trying to create a single value with trendline visualisation, where I want to compare the difference between todays result with yesterday results. The trendline should be the results difference of  yesterday and today. 

I have applied several solutions, but the total number does not tally with the today's result.

My base query is:

Spoiler
index=emailgateway action=* from!="" to!=""
| stats count

which result shown as (today result) :

BaseBase

Here are several solutions that I have tried:-

Solution 1

Im using the trendline wma2 

Spoiler
index=emailgateway action=* from!="" to!=""
| timechart span=1d count as Total
| trendline wma2("x") as Trend
| sort - _time

the result shown as below:

Solution 1Solution 1

- the result shows the trendline, but the total number (90,702) did not tally with today's result (227,019)

 

Solution 2

Im using the delta command :- 

Spoiler
index=emailgateway action=* from!="" to!=""
| timechart span=1d count as Total
| delta Total p=1 as diference

the result shown as below:
Solutyion 2.PNG
 - the total number is different (including the trendline number)

 


Solution 3

I tried to use the |tstats command (from Enterprise Security)

Spoiler
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where (All_Email.action=* AND All_Email.orig_dest!="" OR All_Email.orig_src!="") earliest=-48h latest=-24h
| append
[| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where (All_Email.action=* AND All_Email.orig_dest!="" OR All_Email.orig_src!="") earliest=-24h latest=now]
| appendcols
[| makeresults
| eval time=now()
]
| rename time AS _time

Solution 3Solution 3

- which also did not work

Can anyone help? Did i missed anything? Please.

Labels (1)
0 Karma
1 Solution

Chef
Explorer

Hi syazwani,

What timeframes are you specifying for your searches? I suspect that's the reason why you're getting inconsistencies in your search. 

In your enterprise security search you're specifying a 24 hour time period:

earliest=-48h latest=-24h

Which will give you different results depending on the time you run it.

Try the following:

 Todays current total:

index=emailgateway action=* from!="" to!="" earliest=@d
| stats count

 

Compare yesterday and today:

index=emailgateway action=* from!="" to!="" earliest=-1d@d
| timechart span=1d count as total

 

Simpler tstats command:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where All_Email.action=* All_Email.orig_dest!="" All_Email.orig_src!="" earliest=-1d@d latest=now by _time span=1d

 

Using earliest=-1d@d will take the search back to the beginning of yesterday (12:00am). Whereas using earliest=@d will take you to the beginning of the current day.

Hope this helps!

View solution in original post

0 Karma

Chef
Explorer

Hi syazwani,

What timeframes are you specifying for your searches? I suspect that's the reason why you're getting inconsistencies in your search. 

In your enterprise security search you're specifying a 24 hour time period:

earliest=-48h latest=-24h

Which will give you different results depending on the time you run it.

Try the following:

 Todays current total:

index=emailgateway action=* from!="" to!="" earliest=@d
| stats count

 

Compare yesterday and today:

index=emailgateway action=* from!="" to!="" earliest=-1d@d
| timechart span=1d count as total

 

Simpler tstats command:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Email where All_Email.action=* All_Email.orig_dest!="" All_Email.orig_src!="" earliest=-1d@d latest=now by _time span=1d

 

Using earliest=-1d@d will take the search back to the beginning of yesterday (12:00am). Whereas using earliest=@d will take you to the beginning of the current day.

Hope this helps!

0 Karma

syazwani
Path Finder

Hi chef,

Yeah I messed up with the timeframes 🙂 Im using the comparison query and its working fine. Thankyou. This really helps me a lot. Thankyou again sir.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...