So I am building on some of the previous anwsers I got, but I want to get even more specific now and can't find guidance from the documentation. So I have a simple search already :
Please notice the bold text outlines what I'm about to explain what I need to be done. The current code above returns a ton of different "OOID"'s , so what I want to do is to create a search which returns how many documents were either created, updated, or deleted for EACH OOID.
Can anyone guide me in the right direction?
If you already have fields for the action and the OOID, then this will be easier. My solution is to create the fields on the fly using the
sourcetype=doccloud_catalina "AOID Folder workspace" | rex "(?<action>created|updated|deleted) for OOID:(?<OOID>\S+?)," | stats count by OOID action
The regular expression in the rex command makes some assumptions about the format of the message lines, which might be incorrect...
Thanks for your anwser, it works beautifully! I was wondering how to simply the command further to only display the 5 most active OOID's categorized by their actions to update, add, delete
sourcetype=doccloud_catalina "AOID Folder workspace"
| rex "(?created|updated|deleted) for OOID:(?\S+?),"
| chart count by OOID action
| sort 5 -Total
One more thing, to display the results for the past 7 days...would I just add the timechart span to the end or where would i put that? I really appreciate your brilliant mind!
Timechart is actually a little easier:
sourcetype=doccloud_catalina "AOID Folder workspace" | rex "(?created|updated|deleted) for OOID:(?S+?)," | timechart limit=5 span=1d count by OOID
which will give you a single line for each of the top 5 OOIDs.
And thanks for the compliment, now I am blushing. But once you've been doing this for 5 years, it gets a lot easier...
Ok I want to put it all together now!
I want :
sourcetype=doccloud_catalina "Document workspace" | rex "(?<action>created|updated|deleted|removed) for OOID:(?<OOID>\S+?)," | chart count by OOID action | addtotals | sort 5 -Total
But to also take those same results and only display the past 7 day activity. It's my last question I promise ! 🙂
You should be able to select the past 7 days in the time range selector and your search above would do just great. But if you want to show day-by-day results in a chart - that's a problem. Splunk can only do two dimensional charts - and you already have 2 dimensions: OOID and action.
There is a way around it - combine OOID and action into a single field.
sourcetype=doccloud_catalina "Document workspace" | rex "(?created|updated|deleted|removed) for OOID:(?\S+?)," | eval series = OOID + ":" + action | bucket span=1d _time | chart count by series _time
It's a bit of a chore here to identify the top 5 OOIDs - I am still thinking about that - my first idea was a bust.