Splunk Search

Parsing results of periodical directory dumps over time into a chart

daryllj
Path Finder

hi there!

We have a daly push from Google over to our Splunk instance that provides directory information around total number of users, etc.

I have a very simple query today that can parse out the information I need into two values to cover the last directory push into Splunk:

index="google" sourcetype="*directory*" "emails{}.address"="*@mydomain.com"
| chart count by archived

This results in two values being returned from the latest directory push.

My question is this: 

I would like to have this embedded in a dashboard so that we can show historical values of this data in a bar chart over time:  ie:  how is the directory growing / shrinking week-to -week or month-to-month.

I am not sure if I should head down the timechart path, or use a different method to get this data based on the fact it is a periodical (every 24 hours) single entry pushed into the splunk server...thoughts on which path to start down would be super helpful....

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Can explain your hesitation about going down the timechart path, if your goal is to show a chart over time? (That is how I interpret "week-to -week or month-to-month".)  If you want a weekly stats, you can use span=1w in timechart; similarly, you can use span=1mon, etc.

View solution in original post

daryllj
Path Finder

Thanks for the guidance!  it was much easier than I thought- I adjusted my query using the span flag in timechart and then embedded the code in my dashboard and locked that to run with a relative range (past 1 month).

To answer your question, I was hesitant as I was thinking that Timechart would not be able to deal with the sporadic push to Splunk of the day- using span=3d fixed this so it is a readable chart...

end result:

index="google" sourcetype="*directory*" "emails{}.address"="*@mydomain.com"
| timechart count by archived span=3d

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Can explain your hesitation about going down the timechart path, if your goal is to show a chart over time? (That is how I interpret "week-to -week or month-to-month".)  If you want a weekly stats, you can use span=1w in timechart; similarly, you can use span=1mon, etc.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...