Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart conditional result

light_of_sirius
Explorer
‎11-05-2020 03:16 AM

Hello,

 

i have objects with names that all carry a unique and constant "Software-Signature" with them.

This signature is supposed to never change. And i know that it is in its original state at some timestamp.

Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.

makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical 
|append[ 
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name 
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]

 

This works besides the fact that the field identical displays nothing.

Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.

 

Thank you in advance, and i hope i managed to describe the task clearly. 

 

Labels (3)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-05-2020 06:01 AM

What about just getting the first and latest and compare them ? 

index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

light_of_sirius
Explorer
‎11-09-2020 12:10 AM

Thx sorry for the late response.

The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.

Additionally i would not really see the logic being applicable to a timechart.

Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".

If you unterstand want i am trying to say.

 

Anyway my solution for now is

index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id

 

And for the timechart

index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"

But this does not support the desired groub by name yet.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...