Splunk Search

How do I get the difference between the number of events

jhilton90
Path Finder

I am ingesting advanced hunting logs and I have a main dashboard where I present the number of events per Event Category as single numbers. I want to be able to track the changes in the number of events.

For instance, if Monday has 1,000,000 events but Tuesday has 2,000,000 events then the number of events has increased by 1,000,000.

How can I work out the difference and display this on the main dashboard.

Any help is greatly appreciated

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

In that case you don't need to calculate the difference, just set the trend indicator for the single

ITWhisperer_0-1691165988071.png

Although you do still need to count over time

index=advanced_hunting
| bin _time span=1d
| chart count by _time EventCategory

View solution in original post

jhilton90
Path Finder
index=advanced_hunting EventCategory=AdvancedHunting-DeviceEvents
| streamstats window=2 current=f last(EventCategory) as previous_count
| eval change=EventCategory-previous_count

 

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I had assumed you already had the daily counts by EventCategory, but it appears not. Try something like this

index=advanced_hunting
| bin _time span=1d
| stats count by _time EventCategory
| streamstats window=2 current=f global=f last(count) as previous_count by EventCategory
| eval change=count-previous_count
0 Karma

jhilton90
Path Finder

That's great that gives me the difference between the two days. Now I need to display it like the image 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In that case you don't need to calculate the difference, just set the trend indicator for the single

ITWhisperer_0-1691165988071.png

Although you do still need to count over time

index=advanced_hunting
| bin _time span=1d
| chart count by _time EventCategory

ITWhisperer
SplunkTrust
SplunkTrust

Use streamstats to get the previous days count and subtract it from each days count.

| streamstats window=2 current=f last(count) as previous_count
| eval change=count-previous_count
0 Karma

jhilton90
Path Finder

Perhaps this might help actually so currently I'm ingesting advanced hunting logs into an index=advanced_hunting and within that index there is EventCategory, which has different categories such as AdvancedHunting-DeviceEvents or AdvancedHunting-DeviceFileEvents. As well as other fields like Timestamp etc

In the main dashboard, I've got a count of each of the EventCategory's which gives me the total number of events in each EventCategory, and I need to find a way to get the difference on a daily basis

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search do you already have? Perhaps we can build from there?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...