Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart conditional result

light_of_sirius
Explorer
‎11-05-2020 03:16 AM

Hello,

 

i have objects with names that all carry a unique and constant "Software-Signature" with them.

This signature is supposed to never change. And i know that it is in its original state at some timestamp.

Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.

makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical 
|append[ 
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name 
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]

 

This works besides the fact that the field identical displays nothing.

Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.

 

Thank you in advance, and i hope i managed to describe the task clearly. 

 

Labels (3)
Labels
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎11-05-2020 06:01 AM

What about just getting the first and latest and compare them ? 

index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")

 

Happy Splunking!
Reply

light_of_sirius
Explorer
‎11-09-2020 12:10 AM

Thx sorry for the late response.

The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.

Additionally i would not really see the logic being applicable to a timechart.

Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".

If you unterstand want i am trying to say.

 

Anyway my solution for now is

index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id

 

And for the timechart

index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"

But this does not support the desired groub by name yet.

0 Karma
Reply
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...