Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query to Display change in values of fields

muralianup
Communicator
‎07-27-2017 04:07 AM

I trying to write a query to check the changes in versions of a software. When using timechart (stacked) I can see multiple columns (when there was change in the version of software) and I am trying to display only those days which had occurrence of multiple columns in the graph. Any suggestions ?alt text

Preview file
14 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muralianup
Communicator
‎08-03-2017 02:18 AM

The streamstats command helped. Borrowed the concept from one of the Splunk blog entries (on tracking DHCP lease for a particular MAC id).

| streamstats current=false last(Version) as new_Version last(_time) AS time_of_change BY src_ip | where Version!=new_Version | convert ctime(time_of_change) AS time_of_change | rename Version as old_Version | stats count by date_wday

View solution in original post

Reply
Solved! Jump to solution
Solution

muralianup
Communicator
‎08-03-2017 02:18 AM

The streamstats command helped. Borrowed the concept from one of the Splunk blog entries (on tracking DHCP lease for a particular MAC id).

| streamstats current=false last(Version) as new_Version last(_time) AS time_of_change BY src_ip | where Version!=new_Version | convert ctime(time_of_change) AS time_of_change | rename Version as old_Version | stats count by date_wday

Reply
Solved! Jump to solution

niketn
Legend
‎08-03-2017 03:25 AM

@muralianup, please accept your Answer to mark the question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-27-2017 05:22 AM

Can you share your query? Without knowing that, my suggestion would be to add following to your existing search.

your current search producing above output
| eval versions=0
| foreach * [eval versions=if('<<FIELD>>' > 0,versions+1,versions)]
| where versions>1 | fields -versions
Reply
Solved! Jump to solution

muralianup
Communicator
‎07-27-2017 05:34 AM

Base query is index=web_prxy domain=abc useragent= | rex filed=useragent "(?P[\d]*)" | timechart count by Version limit=5

Does stereamstats helps ?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-27-2017 09:07 AM

Just extending @somesoni2 's Answer to your scenario.

<YourBaseSearch>
| rename * as Count*
| rename Count_time as _time
| rename Count_span as _span
| eval versions=0
| foreach Count* [eval versions=if(<<FIELD>> > 0,versions+1,versions)]
| search versions>1
| fields - versions
| rename Count* as *
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...