Splunk Search

Splunk comparison search

astatrial
Contributor

Hello,
I have difficulties with creating a comparison chart for the next data structure:

search         Count              Date
_________________________________________
check1           5             07/5/2019       
check2           3             07/5/2019
check3           6             07/5/2019
check1           7             07/6/2019
check2           12            07/6/2019
check3           2             07/6/2019                         

This is an example for the structure. There can be more dates.

What i am trying to achieve is a line chart by search, that every line will represent a search and there will be a time line by the date value.

To be clearer, the X axis will be the date, and the y axis will be the count.

Can anyone assist me with this ?

The data is coming from a lookup file.

0 Karma
1 Solution

adonio
Ultra Champion

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

0 Karma

astatrial
Contributor

Your solution is a bit problematic, because the number of searches is changing.

0 Karma

adonio
Ultra Champion

how come? the split with by clause will take as many searches under that field

0 Karma

astatrial
Contributor

I don't see split with by.
But maybe you can help me with another idea i had.
Instead of this, i want to calculate the difference between the two most recent searches by search.
So if i had another date of 7/7/2019 it would calculate the difference between every count value of every search between the 7/7/2019 and the 7/6/2019

0 Karma

adonio
Ultra Champion

try this:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019;;;check1,15,07/7/2019;;;check2,13,07/7/2019;;;check3,26,07/7/2019;;;check1,17,07/8/2019;;;check2,22,07/8/2019;;;check3,9,07/8/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| streamstats current=f global=false window=2 last(COUNT) as previous_count by search
| eval delta = COUNT - previous_count
0 Karma

astatrial
Contributor

Thanks for your help,
I understand now what you have tried to do in the first solution.
It doesn't work for some reason.
The second solution worked fine, but i need only the last date rows (max date). I will try to solve it, but if you know how to do it, that will be great.

0 Karma

astatrial
Contributor

I added this to the second solution eventually -
| eventstats max(date) as date
| where date = maxdate

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...