Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I would like to use timechart to show the trend for 7days using below

phoebepascual
New Member
‎04-11-2019 08:13 AM

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-2d@d+14h latest=-1d@d+14h APP=DEV
| stats count(APP) as "numberof_actuals"
| appendcols
[| inputlookup Indus_bim_ocf_lookup.csv
| stats count(eval(APP=DEV)) as "numberof_lkup"
]
| eval difference=(numberof_lkup - numberof_actuals)
| eval status=if(difference>=1, "MISSING", "")
| chart sum(difference) -----> i would like to use timechart but its not working, can you help?

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2019 12:29 PM

Give this a try
UPdated - both searches*

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-8d@d+14h latest=-1d@d+14h APP=DEV
| timechart span=1d count as "numberof_actuals" 
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP="DEV")) as search] 
| eval difference=(numberof_lkup - numberof_actuals)
| timechart span=1d sum(difference)

OR (if you need to do a 14h adjustment in your data)

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-8d@d+14h latest=-1d@d+14h APP=DEV
| eval _time=relative_time(_time,"-14h")
| timechart span=1d count as "numberof_actuals" 
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP="DEV")) as search] 
| eval difference=(numberof_lkup - numberof_actuals)
| timechart span=1d sum(difference)
0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 05:00 AM

This also works for timechart, but the value expected is not correct.
The 7 day trend that I need is for "batch runs from 2pm to <2pm daily".
When I changed the earliest to -7d or -8d, the numbers are not correct anymore, is there a way I can subquery the above and get the -7day trend?

0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 05:48 AM

Hello,
seems that below is not working,
| eval "numberof_lkup"=[| inputlookup Indus_bim_ocf_lookup.csv | stats count(eval(APP=DEV)) as search]

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2019 08:18 AM

I believe the updated version would work. (double quotes were missing, in your question too)

0 Karma
Reply

Vijeta
Influencer
‎04-11-2019 08:34 AM

@phoebepascual Firstly your earliest and latest values don't give 7 days of data, you may need to change it to -7d if you looking for 7 day. 

source=IN1 STATUS=SUCCESS OR STATUS=FAILED earliest=-7d@d+14h latest=-1d@d+14h APP=DEV
|bin span=1d _time| stats count(APP) as "numberof_actuals"  by _time| appendcols [| inputlookup Indus_bim_ocf_lookup.csv 
| stats count(eval(APP=DEV)) as "numberof_lkup" 
]
| eval difference=(numberof_lkup - numberof_actuals)
| eval status=if(difference>=1, "MISSING", "")
| timechart sum(difference)

You need to use timechart command and also in your first stats

0 Karma
Reply

phoebepascual
New Member
‎04-12-2019 01:38 AM

Thank you Vijeta! Yes it works! but.. the 7 day trend that I need is for "batch runs from 2pm to <2pm daily".
When I changed the earliest to -7d, the numbers are not correct anymore, is there a way I can subquery the above and get the -7day trend?

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 07:59 AM

@phoebepascual Can you please specify the output you are getting and the output you are looking for?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...