Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If I have a result from an hourly Splunk alert, how can I compare this with the previous hour's data?

aartist
New Member
‎09-28-2015 12:57 PM

I have an hourly alert in Splunk which produces results like:

host   error           count
A      database down   20
B      server down     15

How I can compare this data with previous hour's data and show the ups and downs in the result?
I'd like to do it without the searching the previous hour's data again for performance reasons.

Thanks.

Tags (2)
0 Karma
Reply

masonmorales
Influencer
‎09-28-2015 01:25 PM

You can do this by creating a summary index, and then selecting "enable summary indexing" under alert actions. You can then search the summary index and use something like steamstats with an eval function to compare the current hour to the last hour.

Reply

aartist
New Member
‎09-28-2015 03:58 PM

I didn't find the "enable summary indexing". Perhaps my Splunk administrator didn't do it. and I don't have any control over it. Is there a way around?

0 Karma
Reply

masonmorales
Influencer
‎09-28-2015 05:17 PM

I would ask your Splunk admin to do it. There is the option of editing the search to outputcsv. Then, you could do an inputlookup on that and do streamstats, but a CSV file isn't going to scale very well...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...