Re: How to edit my search to compare and find the ...

tmontney · ‎11-28-2016

I want to take this search and compare it against a "known good day".

index="wineventlog" AND host=$computerMS$ | top EventCode Message limit=20

My goal is to see the difference of count for each event code. For example, last Monday a machine would have had a much higher count in EventCode 7036.

EventCode:7036 Good_Day:50 Bad_Day:200 Difference:150

sundareshr · ‎11-28-2016

Assuming the count for "Good_Day" is fixed (50), try this

index="wineventlog" host=$computerMS$ | stats count as Today values(Message) as Message by EventCode | eval Good_Day=50 | eval Difference=Today-Good_Day

If "Good_Day" is relative (eg: a week ago), then try this

index="wineventlog" host=$computerMS$ ((earliest=-7d@d latest=-6d@d) OR earliest=@d) | eval when=if(_time<relative_time(now(), "@d"), "Good_Day", "Today")) | chart count values(Message) as Message over EventCode by when | eval Difference=Today-Good_Day

tmontney · ‎11-28-2016

index="wineventlog" host=$gbcompr$ | eval when=case("$gdayTime.earliest$" <= _time AND "$gdayTime.latest$" >= _time, "Good_Day", "$bdayTime.earliest$" <= _time AND "$bdayTime.latest$" >= _time, "Bad_Day") | chart count values(Message) as Message over EventCode by when | eval Difference='count: Bad_Day'-'count: Good_Day' | eval "Good Day"='count: Good_Day' | eval "Bad Day"='count: Bad_Day' | table EventCode "Bad Day" "Good Day" Difference

Figured it out.

aaraneta_splunk · ‎12-02-2016

Hi @tmontney - If sundareshr helped provide a working solution for you, please don't forget to click "Accept" below his original answer and up-vote any comments from him that were helpful. If you still need help regarding this question, please leave a comment. Thank you!

sundareshr · ‎11-28-2016

Try this version, a bit cleaner

index="wineventlog" host=$gbcompr$ | eval when=case("$gdayTime.earliest$" <= _time AND "$gdayTime.latest$" >= _time, "Good_Day", "$bdayTime.earliest$" <= _time AND "$bdayTime.latest$" >= _time, "Bad_Day") | chart count over EventCode by when | eval Difference='Bad_Day'-'Good_Day' | rename *_* AS "* *" | table EventCode "Bad Day" "Good Day" Difference

tmontney · ‎11-28-2016

This is as far as I got. I'm assuming my logic is off somewhere.

index="wineventlog" host=$computerMS$ | eval when=case("$gdayTime.earliest$" >= _time AND "$gdayTime.latest$" <= _time, "Good_Day", "$bdayTime.earliest$" >= _time AND "$bdayTime.latest$" <= _time, "Bad_Day") | chart count values(Message) as Message over EventCode by when | eval Difference='count: Bad_Day'-'count: Good_Day' | eval "Good Day"='count: Good_Day' | eval "Bad Day"='count: Bad_Day' | table EventCode "Bad Day" "Good Day" Difference

tmontney · ‎11-28-2016

Yes, sorry, both days will be chosen from a time picker. Both "good" and "bad" are relative to the time periods.

tmontney · ‎11-28-2016

I don't believe the last "eval" is working. If I try to add | table EventCode Good_Day Today Difference, only EventCode populates.

tmontney · ‎11-28-2016

Never mind, I realized the field names were wrong. Instead of "Good_Day" it was "count: Good_Day".

sundareshr · ‎11-28-2016

You may not need message. I just put it out, if you think you need it, try this modified version.

index="wineventlog" host=$computerMS$ ((earliest=-7d@d latest=-6d@d) OR earliest=@d) | eval when=if(_time

tmontney · ‎11-28-2016

How do I get it to work when both are dynamic days? Right now "good day" must be before "bad day" (from what it seems).

How to edit my search to compare and find the difference between EventCode counts?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to edit my search to compare and find the difference between EventCode counts?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard