Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search which finds the addition or deletion to the log sources happened since last week by index and loss/gain must be specified in percentage

smithahc1966
New Member
‎03-31-2019 08:28 PM

I am trying to write a search which finds the addition or deletion to the log sources happened since last week by index and loss/gain must be specified in percentage.

0 Karma
Reply

lakshman239
Influencer
‎04-02-2019 03:09 PM

One option would be to schedule a search to get source, sourcetype and index and output the results to a summary index and then you can run searches against that to compare for any days.

 | tstats count where index=* groupby index, sourcetype, source, _time span=1d | collect index=summary

The above will store the results to summary index and you can then schedule another search to look for changes by sourcetype or source and then cal the perc

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...