Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart conditional result

light_of_sirius
Explorer
‎11-05-2020 03:16 AM

Hello,

 

i have objects with names that all carry a unique and constant "Software-Signature" with them.

This signature is supposed to never change. And i know that it is in its original state at some timestamp.

Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.

makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical 
|append[ 
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name 
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]

 

This works besides the fact that the field identical displays nothing.

Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.

 

Thank you in advance, and i hope i managed to describe the task clearly. 

 

Labels (3)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-05-2020 06:01 AM

What about just getting the first and latest and compare them ? 

index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

light_of_sirius
Explorer
‎11-09-2020 12:10 AM

Thx sorry for the late response.

The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.

Additionally i would not really see the logic being applicable to a timechart.

Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".

If you unterstand want i am trying to say.

 

Anyway my solution for now is

index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id

 

And for the timechart

index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"

But this does not support the desired groub by name yet.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top