Splunk Search

Splunk comparison search

Communicator

Hello,
I have difficulties with creating a comparison chart for the next data structure:

search         Count              Date
_________________________________________
check1           5             07/5/2019       
check2           3             07/5/2019
check3           6             07/5/2019
check1           7             07/6/2019
check2           12            07/6/2019
check3           2             07/6/2019                         

This is an example for the structure. There can be more dates.

What i am trying to achieve is a line chart by search, that every line will represent a search and there will be a time line by the date value.

To be clearer, the X axis will be the date, and the y axis will be the count.

Can anyone assist me with this ?

The data is coming from a lookup file.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

try this anywhere:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search

work with the formula
hope it helps

View solution in original post

0 Karma

Communicator

Your solution is a bit problematic, because the number of searches is changing.

0 Karma

SplunkTrust
SplunkTrust

how come? the split with by clause will take as many searches under that field

0 Karma

Communicator

I don't see split with by.
But maybe you can help me with another idea i had.
Instead of this, i want to calculate the difference between the two most recent searches by search.
So if i had another date of 7/7/2019 it would calculate the difference between every count value of every search between the 7/7/2019 and the 7/6/2019

0 Karma

SplunkTrust
SplunkTrust

try this:

| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019;;;check1,15,07/7/2019;;;check2,13,07/7/2019;;;check3,26,07/7/2019;;;check1,17,07/8/2019;;;check2,22,07/8/2019;;;check3,9,07/8/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| streamstats current=f global=false window=2 last(COUNT) as previous_count by search
| eval delta = COUNT - previous_count
0 Karma

Communicator

Thanks for your help,
I understand now what you have tried to do in the first solution.
It doesn't work for some reason.
The second solution worked fine, but i need only the last date rows (max date). I will try to solve it, but if you know how to do it, that will be great.

0 Karma

Communicator

I added this to the second solution eventually -
| eventstats max(date) as date
| where date = maxdate

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!