Splunk Search

How to search how many documents were created, updated, or deleted for each OOID in my data?

splunkman341
Communicator

Hi guys!

So I am building on some of the previous anwsers I got, but I want to get even more specific now and can't find guidance from the documentation. So I have a simple search already :

Please notice the bold text outlines what I'm about to explain what I need to be done. The current code above returns a ton of different "OOID"'s , so what I want to do is to create a search which returns how many documents were either created, updated, or deleted for EACH OOID.

Can anyone guide me in the right direction?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

If you already have fields for the action and the OOID, then this will be easier. My solution is to create the fields on the fly using the rex command:

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?<action>created|updated|deleted) for OOID:(?<OOID>\S+?),"
| stats count by OOID action

The regular expression in the rex command makes some assumptions about the format of the message lines, which might be incorrect...

View solution in original post

lguinn2
Legend

If you already have fields for the action and the OOID, then this will be easier. My solution is to create the fields on the fly using the rex command:

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?<action>created|updated|deleted) for OOID:(?<OOID>\S+?),"
| stats count by OOID action

The regular expression in the rex command makes some assumptions about the format of the message lines, which might be incorrect...

splunkman341
Communicator

Thanks for your anwser, it works beautifully! I was wondering how to simply the command further to only display the 5 most active OOID's categorized by their actions to update, add, delete

0 Karma

lguinn2
Legend

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?created|updated|deleted) for OOID:(?\S+?),"
| chart count by OOID action
| addtotals
| sort 5 -Total
should work

splunkman341
Communicator

One more thing, to display the results for the past 7 days...would I just add the timechart span to the end or where would i put that? I really appreciate your brilliant mind!

0 Karma

lguinn2
Legend

Timechart is actually a little easier:

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?created|updated|deleted) for OOID:(?S+?),"
| timechart limit=5 span=1d count by OOID

which will give you a single line for each of the top 5 OOIDs.

And thanks for the compliment, now I am blushing. But once you've been doing this for 5 years, it gets a lot easier...

splunkman341
Communicator

Ok I want to put it all together now!

I want :

sourcetype=doccloud_catalina "Document workspace"
| rex "(?<action>created|updated|deleted|removed) for OOID:(?<OOID>\S+?),"
| chart count by OOID action 
| addtotals
| sort 5 -Total

But to also take those same results and only display the past 7 day activity. It's my last question I promise ! 🙂

0 Karma

lguinn2
Legend

You should be able to select the past 7 days in the time range selector and your search above would do just great. But if you want to show day-by-day results in a chart - that's a problem. Splunk can only do two dimensional charts - and you already have 2 dimensions: OOID and action.

There is a way around it - combine OOID and action into a single field.

 sourcetype=doccloud_catalina "Document workspace"
 | rex "(?created|updated|deleted|removed) for OOID:(?\S+?),"
 | eval series = OOID + ":" + action
 | bucket span=1d _time
 | chart count by series _time

It's a bit of a chore here to identify the top 5 OOIDs - I am still thinking about that - my first idea was a bust.

splunkman341
Communicator

Please keep me updated!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...