Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart conditional result

light_of_sirius
Explorer
‎11-05-2020 03:16 AM

Hello,

 

i have objects with names that all carry a unique and constant "Software-Signature" with them.

This signature is supposed to never change. And i know that it is in its original state at some timestamp.

Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.

makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical 
|append[ 
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name 
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]

 

This works besides the fact that the field identical displays nothing.

Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.

 

Thank you in advance, and i hope i managed to describe the task clearly. 

 

Labels (3)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-05-2020 06:01 AM

What about just getting the first and latest and compare them ? 

index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

light_of_sirius
Explorer
‎11-09-2020 12:10 AM

Thx sorry for the late response.

The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.

Additionally i would not really see the logic being applicable to a timechart.

Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".

If you unterstand want i am trying to say.

 

Anyway my solution for now is

index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id

 

And for the timechart

index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"

But this does not support the desired groub by name yet.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...