Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to compare and find the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to compare and find the difference between EventCode counts?
I want to take this search and compare it against a "known good day".
index="wineventlog" AND host=$computerMS$ | top EventCode Message limit=20
My goal is to see the difference of count for each event code. For example, last Monday a machine would have had a much higher count in EventCode 7036.
EventCode:7036 Good_Day:50 Bad_Day:200 Difference:150
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the count for "Good_Day" is fixed (50), try this
index="wineventlog" host=$computerMS$ | stats count as Today values(Message) as Message by EventCode | eval Good_Day=50 | eval Difference=Today-Good_Day
If "Good_Day" is relative (eg: a week ago), then try this
index="wineventlog" host=$computerMS$ ((earliest=-7d@d latest=-6d@d) OR earliest=@d) | eval when=if(_time<relative_time(now(), "@d"), "Good_Day", "Today")) | chart count values(Message) as Message over EventCode by when | eval Difference=Today-Good_Day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="wineventlog" host=$gbcompr$ | eval when=case("$gdayTime.earliest$" <= _time AND "$gdayTime.latest$" >= _time, "Good_Day", "$bdayTime.earliest$" <= _time AND "$bdayTime.latest$" >= _time, "Bad_Day") | chart count values(Message) as Message over EventCode by when | eval Difference='count: Bad_Day'-'count: Good_Day' | eval "Good Day"='count: Good_Day' | eval "Bad Day"='count: Bad_Day' | table EventCode "Bad Day" "Good Day" Difference
Figured it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tmontney - If sundareshr helped provide a working solution for you, please don't forget to click "Accept" below his original answer and up-vote any comments from him that were helpful. If you still need help regarding this question, please leave a comment. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this version, a bit cleaner
index="wineventlog" host=$gbcompr$ | eval when=case("$gdayTime.earliest$" <= _time AND "$gdayTime.latest$" >= _time, "Good_Day", "$bdayTime.earliest$" <= _time AND "$bdayTime.latest$" >= _time, "Bad_Day") | chart count over EventCode by when | eval Difference='Bad_Day'-'Good_Day' | rename *_* AS "* *" | table EventCode "Bad Day" "Good Day" Difference
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is as far as I got. I'm assuming my logic is off somewhere.
index="wineventlog" host=$computerMS$ | eval when=case("$gdayTime.earliest$" >= _time AND "$gdayTime.latest$" <= _time, "Good_Day", "$bdayTime.earliest$" >= _time AND "$bdayTime.latest$" <= _time, "Bad_Day") | chart count values(Message) as Message over EventCode by when | eval Difference='count: Bad_Day'-'count: Good_Day' | eval "Good Day"='count: Good_Day' | eval "Bad Day"='count: Bad_Day' | table EventCode "Bad Day" "Good Day" Difference
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sorry, both days will be chosen from a time picker. Both "good" and "bad" are relative to the time periods.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe the last "eval" is working. If I try to add | table EventCode Good_Day Today Difference, only EventCode populates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind, I realized the field names were wrong. Instead of "Good_Day" it was "count: Good_Day".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may not need message. I just put it out, if you think you need it, try this modified version.
index="wineventlog" host=$computerMS$ ((earliest=-7d@d latest=-6d@d) OR earliest=@d) | eval when=if(_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get it to work when both are dynamic days? Right now "good day" must be before "bad day" (from what it seems).
Shape the Future of Splunk: Join the Product Research Lab!
Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
