Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing results of periodical directory dumps over time into a chart

daryllj
Path Finder
‎12-01-2021 05:10 PM

hi there!

We have a daly push from Google over to our Splunk instance that provides directory information around total number of users, etc.

I have a very simple query today that can parse out the information I need into two values to cover the last directory push into Splunk:

index="google" sourcetype="*directory*" "emails{}.address"="*@mydomain.com"
| chart count by archived

This results in two values being returned from the latest directory push.

My question is this: 

I would like to have this embedded in a dashboard so that we can show historical values of this data in a bar chart over time:  ie:  how is the directory growing / shrinking week-to -week or month-to-month.

I am not sure if I should head down the timechart path, or use a different method to get this data based on the fact it is a periodical (every 24 hours) single entry pushed into the splunk server...thoughts on which path to start down would be super helpful....

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2021 11:34 PM

Can explain your hesitation about going down the timechart path, if your goal is to show a chart over time? (That is how I interpret "week-to -week or month-to-month".)  If you want a weekly stats, you can use span=1w in timechart; similarly, you can use span=1mon, etc.

View solution in original post

Reply
Solved! Jump to solution

daryllj
Path Finder
‎12-02-2021 12:33 PM

Thanks for the guidance!  it was much easier than I thought- I adjusted my query using the span flag in timechart and then embedded the code in my dashboard and locked that to run with a relative range (past 1 month).

To answer your question, I was hesitant as I was thinking that Timechart would not be able to deal with the sporadic push to Splunk of the day- using span=3d fixed this so it is a readable chart...

end result:

index="google" sourcetype="*directory*" "emails{}.address"="*@mydomain.com"
| timechart count by archived span=3d

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2021 11:34 PM

Can explain your hesitation about going down the timechart path, if your goal is to show a chart over time? (That is how I interpret "week-to -week or month-to-month".)  If you want a weekly stats, you can use span=1w in timechart; similarly, you can use span=1mon, etc.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...