Splunk Search

Chart results of a report on a line chart

GenericSplunkUs
Path Finder

I've looked into Summary Indexing and I'm not sure that's what I'm looking for here.

I have a scheduled report that runs every day and just gives me the number of unique systems in an index for the last 30 days. I want to be able to take the results of this report from each day and chart that on a line chart. So I can see trending of numbers for enrolled systems better. So I'll get the daily result of the rolling 30 day search plotted on the graph.

Thanks,

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Summary indexing will do that, although there are probably other ways as well.

Modify your existing daily scheduled report to include a collect command to save its results in a summary index. Then you can create a report or dashboard that reads each day's results from the summary index. For example, if you write results to a summary index called 'dailySystemCount' then the report might look something like index = dailySystemCount | timechart span=1d values(count).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Summary indexing will do that, although there are probably other ways as well.

Modify your existing daily scheduled report to include a collect command to save its results in a summary index. Then you can create a report or dashboard that reads each day's results from the summary index. For example, if you write results to a summary index called 'dailySystemCount' then the report might look something like index = dailySystemCount | timechart span=1d values(count).

---
If this reply helps you, Karma would be appreciated.

GenericSplunkUs
Path Finder

Okay, I wasn't sure if this was a good application for that since I'm not looking in TONS of data.

Thanks,

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...