Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare assets from previous week and highlight the difference?

supersnedz
Path Finder
‎05-24-2023 03:00 AM

Hello

I have created a dashboard that shows the previous 4 days and the equivalent days the week before for asset counts, for example IPS devices reporting in. Some days i will have 15 devices reporting in, but the previous week may have 18, so im looking for a way to show what the missing devices are? is there a way to just pull out the devices that are missing?

 

Cheers

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 03:35 AM

Count by device and day of the week, then those with count of 1 appear in either one week of the other but not both.

A slightly more sophisticated way to do this is assign 1 to those events in this week and 2 to those events in the previous weeks, then sum these values by device. Those with a sum of 3 are in both weeks, those with a sum of 2 are in the previous week only, and those with a sum of 1 are only in this week.

0 Karma
Reply

supersnedz
Path Finder
‎05-26-2023 02:02 AM

my current query for grabbing the total counts by day is:
index="siem-ips" cim_entity_zone="UK" | timechart dc(an) | rename dc(an) as IPS | timewrap 4d | rename IPS_4days_before as "IPS Previous Week" | rename IPS_latest_4days as "IPS Latest"
This shows a count of the previous 4 days, and then the 3 days the week before. I tried just adding a stats count on the end but it didnt load any data. I'm a bit stuck. Essentially just need to see what isnt reporting in that was previously

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2023 02:29 AM

Your timewrap should be 1w not 4d as you want the same days in the previous week

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...