Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Could someone help me understand this search?

Keerthi
Path Finder
‎07-05-2023 02:13 AM 
| makeresults count=730
| streamstats count
| eval _time=_time-(count*86400)
| timechart Count as Timestamp span=1mon
| join type=left _time [| savedsearch XYZ
| eval today = strftime(relative_time(now(), "@d"), "%Y-%m-%d %H:%M:%S.%N")
| where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%")
| eval _time = strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N")
| timechart Count as Created span=1mon
| streamstats sum(Created) as Createdcumulative]
| join type=left _time
[| savedsearch XYZ
| where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%")
| eval _time = strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N")
| timechart Count as Deactivated span=1mon
| streamstats sum(Deactivated) as Deactivatedcumulative]






can anyone explain me the code please. am new and need this brief please.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2023 02:25 AM 
| makeresults count=730
| streamstats count
| eval _time=_time-(count*86400)
| timechart Count as Timestamp span=1mon

This generates a set of values for _time which represent the beginning of the month for the past 2 years

| join type=left _time [| savedsearch XYZ
| eval today = strftime(relative_time(now(), "@d"), "%Y-%m-%d %H:%M:%S.%N")
| where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%")
| eval _time = strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N")
| timechart Count as Created span=1mon
| streamstats sum(Created) as Createdcumulative]

This joins the Created counts for each month

| join type=left _time
[| savedsearch XYZ
| where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%")
| eval _time = strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N")
| timechart Count as Deactivated span=1mon
| streamstats sum(Deactivated) as Deactivatedcumulative]

This joins the Deactivate counts for each month

0 Karma
Reply

Keerthi
Path Finder
‎07-05-2023 03:23 AM

Does the created and deactivated count is based on FROM_DATE and TO_DATE?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2023 03:27 AM

It looks like it since you have reset _time based the parsing of the two fields.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...