Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare assets from previous week and highlight the difference?

supersnedz
Path Finder
‎05-24-2023 03:00 AM

Hello

I have created a dashboard that shows the previous 4 days and the equivalent days the week before for asset counts, for example IPS devices reporting in. Some days i will have 15 devices reporting in, but the previous week may have 18, so im looking for a way to show what the missing devices are? is there a way to just pull out the devices that are missing?

 

Cheers

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 03:35 AM

Count by device and day of the week, then those with count of 1 appear in either one week of the other but not both.

A slightly more sophisticated way to do this is assign 1 to those events in this week and 2 to those events in the previous weeks, then sum these values by device. Those with a sum of 3 are in both weeks, those with a sum of 2 are in the previous week only, and those with a sum of 1 are only in this week.

0 Karma
Reply

supersnedz
Path Finder
‎05-26-2023 02:02 AM

my current query for grabbing the total counts by day is:
index="siem-ips" cim_entity_zone="UK" | timechart dc(an) | rename dc(an) as IPS | timewrap 4d | rename IPS_4days_before as "IPS Previous Week" | rename IPS_latest_4days as "IPS Latest"
This shows a count of the previous 4 days, and then the 3 days the week before. I tried just adding a stats count on the end but it didnt load any data. I'm a bit stuck. Essentially just need to see what isnt reporting in that was previously

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2023 02:29 AM

Your timewrap should be 1w not 4d as you want the same days in the previous week

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...