Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with timecharts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with timecharts
New to splunk so aplogies if this question is not worded correctly. Trying to generate a view (sparkline?) that compares the cumulative value of events over a given period with the current value. I have a query in place the will show me the count of events that happened each day based on the defined time period:
index=* name="event type" | dedup src | timechart count
but now I want to generate a sparkline that compares the total count with the current value day's value. This will be presented in a single value field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this search code
index=* name="event type" | dedup src | timechart count as Total_count|appendcols[search index=* name="event type" | dedup src | timechart span=1d count as daily_count]|eval diff=Total_count-daily_count|stats sparkline count(diff)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide more details on expected output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I think I over simplified my question which is why I am having such a hard time getting my arms around this problem. In my case, the "event type" is actually a state that can change at any given time. (i.e. machine x changed from state 'a' to state 'b')
So I just realized that part of my problem is that I am deduping which eliminates all events except for the final state change. This in combination of the idea that I am not keeping a running tally for each day, I don't see an easy way to track trends.
In the end, what I was hoping to accomplish was show trends in change in state over a period of time. I just need to rethink this a little.
Thanks for the response. Greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, that all sounds like fun. We may still be able to help if you could provide a few sample events - I think you are clear enough on your description above that with those two things a start could be made. Sometimes that's all it takes to get your own juices flowing...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rich, here are a couple of event:
Mar 4 06:00:50 192.168.15.125 Mar 4 06:00:01 S14945214214616 - -: CEF:0|Vectra Networks|Vectra|2.3|hsc|Host Score Change|3|externalId=5084 cat=HOST SCORING shost=BThomas-Win7 src=192.168.111.3 dst=192.168.111.3 flexNumber1=84 flexNumber1Label=risk cs4=https://192.168.15.125/hosts/5084 cs4Label=URL start=1457100001073 end=1457100001073
Mar 4 03:00:50 192.168.15.125 Mar 4 03:00:01 S14945214214616 - -: CEF:0|Vectra Networks|Vectra|2.3|hsc|Host Score Change|3|externalId=5086 cat=HOST SCORING shost=WSmith_WinPC src=192.168.111.2 dst=192.168.111.2 flexNumber1=64 flexNumber1Label=risk cs4=https://192.168.15.125/hosts/5086 cs4Label=URL start=1457089201104 end=1457089201104
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
