Solved: Splunk comparison search

astatrial · ‎07-22-2019

Hello,
I have difficulties with creating a comparison chart for the next data structure:

search         Count              Date
_________________________________________
check1           5             07/5/2019       
check2           3             07/5/2019
check3           6             07/5/2019
check1           7             07/6/2019
check2           12            07/6/2019
check3           2             07/6/2019

This is an example for the structure. There can be more dates.

What i am trying to achieve is a line chart by search, that every line will represent a search and there will be a time line by the date value.

To be clearer, the X axis will be the date, and the y axis will be the count.

Can anyone assist me with this ?

The data is coming from a lookup file.

adonio · ‎07-22-2019

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

View solution in original post

adonio · ‎07-22-2019

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

astatrial · ‎07-22-2019

Your solution is a bit problematic, because the number of searches is changing.

adonio · ‎07-22-2019

how come? the split with by clause will take as many searches under that field

astatrial · ‎07-22-2019

I don't see split with by.
But maybe you can help me with another idea i had.
Instead of this, i want to calculate the difference between the two most recent searches by search.
So if i had another date of 7/7/2019 it would calculate the difference between every count value of every search between the 7/7/2019 and the 7/6/2019

adonio · ‎07-22-2019

try this:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019;;;check1,15,07/7/2019;;;check2,13,07/7/2019;;;check3,26,07/7/2019;;;check1,17,07/8/2019;;;check2,22,07/8/2019;;;check3,9,07/8/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| streamstats current=f global=false window=2 last(COUNT) as previous_count by search
| eval delta = COUNT - previous_count

astatrial · ‎07-22-2019

Thanks for your help,
I understand now what you have tried to do in the first solution.
It doesn't work for some reason.
The second solution worked fine, but i need only the last date rows (max date). I will try to solve it, but if you know how to do it, that will be great.

astatrial · ‎07-22-2019

I added this to the second solution eventually -
| eventstats max(date) as date
| where date = maxdate

Splunk comparison search

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring