Splunk Search

Dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month?

Atchyuth_P
Path Finder

Hi,

 

| tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d
| eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q")
| eval Latest=strftime(Latest,"%Y-%m-%dT%H:%M:%S.%Q")
| appendcols
[tstats count where index=_internal by _time]

I would like to generate the dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month

As per the above query i am getting result like this

Is there any other alternative for this please suggest?

Atchyuth_P_0-1664894021253.png

 

Labels (2)
Tags (2)
0 Karma
1 Solution

johnhuang
Motivator

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

View solution in original post

0 Karma

johnhuang
Motivator

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...