Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I would like to use timechart to show the trend for 7days using below

phoebepascual
New Member
‎04-11-2019 08:13 AM

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-2d@d+14h latest=-1d@d+14h APP=DEV
| stats count(APP) as "numberof_actuals"
| appendcols
[| inputlookup Indus_bim_ocf_lookup.csv
| stats count(eval(APP=DEV)) as "numberof_lkup"
]
| eval difference=(numberof_lkup - numberof_actuals)
| eval status=if(difference>=1, "MISSING", "")
| chart sum(difference) -----> i would like to use timechart but its not working, can you help?

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2019 12:29 PM

Give this a try
UPdated - both searches*

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-8d@d+14h latest=-1d@d+14h APP=DEV
| timechart span=1d count as "numberof_actuals" 
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP="DEV")) as search] 
| eval difference=(numberof_lkup - numberof_actuals)
| timechart span=1d sum(difference)

OR (if you need to do a 14h adjustment in your data)

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-8d@d+14h latest=-1d@d+14h APP=DEV
| eval _time=relative_time(_time,"-14h")
| timechart span=1d count as "numberof_actuals" 
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP="DEV")) as search] 
| eval difference=(numberof_lkup - numberof_actuals)
| timechart span=1d sum(difference)
0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 05:00 AM

This also works for timechart, but the value expected is not correct.
The 7 day trend that I need is for "batch runs from 2pm to <2pm daily".
When I changed the earliest to -7d or -8d, the numbers are not correct anymore, is there a way I can subquery the above and get the -7day trend?

0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 05:48 AM

Hello,
seems that below is not working,
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP=DEV)) as search]

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2019 08:18 AM

I believe the updated version would work. (double quotes were missing, in your question too)

0 Karma
Reply

Vijeta
Influencer
‎04-11-2019 08:34 AM

@phoebepascual Firstly your earliest and latest values don't give 7 days of data, you may need to change it to -7d if you looking for 7 day. 

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-7d@d+14h latest=-1d@d+14h APP=DEV
|bin span=1d _time| stats count(APP) as "numberof_actuals"  by _time| appendcols [| inputlookup Indus_bim_ocf_lookup.csv 
| stats count(eval(APP=DEV)) as "numberof_lkup" 
]
| eval difference=(numberof_lkup - numberof_actuals)
| eval status=if(difference>=1, "MISSING", "")
| timechart sum(difference)

You need to use timechart command and also in your first stats

0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 01:38 AM

Thank you Vijeta! Yes it works! but.. the 7 day trend that I need is for "batch runs from 2pm to <2pm daily".
When I changed the earliest to -7d, the numbers are not correct anymore, is there a way I can subquery the above and get the -7day trend?

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 07:59 AM

@phoebepascual Can you please specify the output you are getting and the output you are looking for?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...