Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart conditional result

light_of_sirius
Explorer
‎11-05-2020 03:16 AM

Hello,

 

i have objects with names that all carry a unique and constant "Software-Signature" with them.

This signature is supposed to never change. And i know that it is in its original state at some timestamp.

Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.

makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical 
|append[ 
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name 
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]

 

This works besides the fact that the field identical displays nothing.

Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.

 

Thank you in advance, and i hope i managed to describe the task clearly. 

 

Labels (3)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-05-2020 06:01 AM

What about just getting the first and latest and compare them ? 

index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

light_of_sirius
Explorer
‎11-09-2020 12:10 AM

Thx sorry for the late response.

The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.

Additionally i would not really see the logic being applicable to a timechart.

Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".

If you unterstand want i am trying to say.

 

Anyway my solution for now is

index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id

 

And for the timechart

index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"

But this does not support the desired groub by name yet.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top