Splunk Search

How do I get the difference between the number of events

jhilton90
Path Finder

I am ingesting advanced hunting logs and I have a main dashboard where I present the number of events per Event Category as single numbers. I want to be able to track the changes in the number of events.

For instance, if Monday has 1,000,000 events but Tuesday has 2,000,000 events then the number of events has increased by 1,000,000.

How can I work out the difference and display this on the main dashboard.

Any help is greatly appreciated

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

In that case you don't need to calculate the difference, just set the trend indicator for the single

ITWhisperer_0-1691165988071.png

Although you do still need to count over time

index=advanced_hunting
| bin _time span=1d
| chart count by _time EventCategory

View solution in original post

jhilton90
Path Finder
index=advanced_hunting EventCategory=AdvancedHunting-DeviceEvents
| streamstats window=2 current=f last(EventCategory) as previous_count
| eval change=EventCategory-previous_count

 

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I had assumed you already had the daily counts by EventCategory, but it appears not. Try something like this

index=advanced_hunting
| bin _time span=1d
| stats count by _time EventCategory
| streamstats window=2 current=f global=f last(count) as previous_count by EventCategory
| eval change=count-previous_count
0 Karma

jhilton90
Path Finder

That's great that gives me the difference between the two days. Now I need to display it like the image 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In that case you don't need to calculate the difference, just set the trend indicator for the single

ITWhisperer_0-1691165988071.png

Although you do still need to count over time

index=advanced_hunting
| bin _time span=1d
| chart count by _time EventCategory

ITWhisperer
SplunkTrust
SplunkTrust

Use streamstats to get the previous days count and subtract it from each days count.

| streamstats window=2 current=f last(count) as previous_count
| eval change=count-previous_count
0 Karma

jhilton90
Path Finder

Perhaps this might help actually so currently I'm ingesting advanced hunting logs into an index=advanced_hunting and within that index there is EventCategory, which has different categories such as AdvancedHunting-DeviceEvents or AdvancedHunting-DeviceFileEvents. As well as other fields like Timestamp etc

In the main dashboard, I've got a count of each of the EventCategory's which gives me the total number of events in each EventCategory, and I need to find a way to get the difference on a daily basis

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search do you already have? Perhaps we can build from there?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...