Splunk Search
Highlighted

How to search how many documents were created, updated, or deleted for each OOID in my data?

Communicator

Hi guys!

So I am building on some of the previous anwsers I got, but I want to get even more specific now and can't find guidance from the documentation. So I have a simple search already :

Please notice the bold text outlines what I'm about to explain what I need to be done. The current code above returns a ton of different "OOID"'s , so what I want to do is to create a search which returns how many documents were either created, updated, or deleted for EACH OOID.

Can anyone guide me in the right direction?

Tags (2)
0 Karma
Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Legend

If you already have fields for the action and the OOID, then this will be easier. My solution is to create the fields on the fly using the rex command:

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?<action>created|updated|deleted) for OOID:(?<OOID>\S+?),"
| stats count by OOID action

The regular expression in the rex command makes some assumptions about the format of the message lines, which might be incorrect...

View solution in original post

Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Communicator

Thanks for your anwser, it works beautifully! I was wondering how to simply the command further to only display the 5 most active OOID's categorized by their actions to update, add, delete

0 Karma
Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Legend

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?created|updated|deleted) for OOID:(?\S+?),"
| chart count by OOID action
| addtotals
| sort 5 -Total
should work

Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Communicator

One more thing, to display the results for the past 7 days...would I just add the timechart span to the end or where would i put that? I really appreciate your brilliant mind!

0 Karma
Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Legend

Timechart is actually a little easier:

sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?created|updated|deleted) for OOID:(?S+?),"
| timechart limit=5 span=1d count by OOID

which will give you a single line for each of the top 5 OOIDs.

And thanks for the compliment, now I am blushing. But once you've been doing this for 5 years, it gets a lot easier...

Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Communicator

Ok I want to put it all together now!

I want :

sourcetype=doccloud_catalina "Document workspace"
| rex "(?<action>created|updated|deleted|removed) for OOID:(?<OOID>\S+?),"
| chart count by OOID action 
| addtotals
| sort 5 -Total

But to also take those same results and only display the past 7 day activity. It's my last question I promise ! 🙂

0 Karma
Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Legend

You should be able to select the past 7 days in the time range selector and your search above would do just great. But if you want to show day-by-day results in a chart - that's a problem. Splunk can only do two dimensional charts - and you already have 2 dimensions: OOID and action.

There is a way around it - combine OOID and action into a single field.

 sourcetype=doccloud_catalina "Document workspace"
 | rex "(?created|updated|deleted|removed) for OOID:(?\S+?),"
 | eval series = OOID + ":" + action
 | bucket span=1d _time
 | chart count by series _time

It's a bit of a chore here to identify the top 5 OOIDs - I am still thinking about that - my first idea was a bust.

Highlighted

Re: How to search how many documents were created, updated, or deleted for each OOID in my data?

Communicator

Please keep me updated!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.