Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to write a conditional timechart search that will not count more than 1 event per day?

splunkrsherman
New Member
‎06-22-2015 05:03 PM

I'd like an efficient search that will return either "Yes" or "No" for a timechart per day. I would imagine a limiting function and some evaluation may be necessary. I'm trying to avoid having splunk chew through counting more than 1 log record per day to simply confirm logs were simply present for that condition in the day.

I would imagine the search would like: 

base search | timechart span=1d limit 1 as count | eval if(count > 0), "Yes", "No"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2015 06:02 PM

Like this:

Index=* | dedup date_month date_mday host sourcetype | timechart span=1d | where count=0

This will show you sources of data that have not reported events in any full day, the most efficient way.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2015 06:02 PM

Like this:

Index=* | dedup date_month date_mday host sourcetype | timechart span=1d | where count=0

This will show you sources of data that have not reported events in any full day, the most efficient way.

0 Karma
Reply
Solved! Jump to solution

splunkrsherman
New Member
‎06-24-2015 03:03 PM

Thanks woodcock, this is useful and where a report is empty it indicates there were no days with 0 logs. Is there a way to inversely have a record for each day at least 1 log was present? For instance, a "Yes" for each day during the time period at least 1 log event matches the search string.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-26-2015 06:21 AM

Try this:

index=* | dedup date_month date_mday host sourcetype | timechart span=1d | eval OK=if(count=0,"NO","YES")

Don't forget to "Accept" the answer.

0 Karma
Reply
Solved! Jump to solution

splunkrsherman
New Member
‎06-26-2015 10:24 AM

woodcock, thanks for your continued response.

Seems like the right track, but timechart will not work for me without supplying a field to chart by, I'm guessing I should use count. When I do that it dedups and rolls all into the most recent date/time with a count of days (7 for a week).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...