How to compare assets from previous week and highl...

supersnedz · ‎05-24-2023

Hello

I have created a dashboard that shows the previous 4 days and the equivalent days the week before for asset counts, for example IPS devices reporting in. Some days i will have 15 devices reporting in, but the previous week may have 18, so im looking for a way to show what the missing devices are? is there a way to just pull out the devices that are missing?

Cheers

ITWhisperer · ‎05-24-2023

Count by device and day of the week, then those with count of 1 appear in either one week of the other but not both.

A slightly more sophisticated way to do this is assign 1 to those events in this week and 2 to those events in the previous weeks, then sum these values by device. Those with a sum of 3 are in both weeks, those with a sum of 2 are in the previous week only, and those with a sum of 1 are only in this week.

supersnedz · ‎05-26-2023

my current query for grabbing the total counts by day is:
index="siem-ips" cim_entity_zone="UK" | timechart dc(an) | rename dc(an) as IPS | timewrap 4d | rename IPS_4days_before as "IPS Previous Week" | rename IPS_latest_4days as "IPS Latest"
This shows a count of the previous 4 days, and then the 3 days the week before. I tried just adding a stats count on the end but it didnt load any data. I'm a bit stuck. Essentially just need to see what isnt reporting in that was previously

ITWhisperer · ‎05-26-2023

Your timewrap should be 1w not 4d as you want the same days in the previous week

How to compare assets from previous week and highlight the difference?

chart

stats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio