- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- timechart conditional result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
timechart conditional result
Hello,
i have objects with names that all carry a unique and constant "Software-Signature" with them.
This signature is supposed to never change. And i know that it is in its original state at some timestamp.
Now, i want to create a dashboard that displays the objects current signature, its original signature and if they are identical.
makeresults| eval Identical = if(sig_orig = sig_current, 1, 0) | table name sig_orig sig_current Identical
|append[
search index=my_index earliest=".." latest=".."| stats values(Signatur) as sig_orig by name
|appendcols [
search index=my_index | stats latest(Signatur) as sig_current by name
]
]
This works besides the fact that the field identical displays nothing.
Assuming, there is deviation and you find a 0, as in the two signatures are not identical. You may want to find when that occured, so i would like to make timechart of the identical-field by name.
Thank you in advance, and i hope i managed to describe the task clearly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
What about just getting the first and latest and compare them ?
index=my_index earliest=".." latest=".."
| stats earliest(Signatur) as sig_orig,latest(Signatur) as sig_current by name
|eval Identical = if(sig_org == sig_current,"Yes","No")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thx sorry for the late response.
The original signatures lay back quite some time, so i wanted to avoid having to do search such a large interval.
Additionally i would not really see the logic being applicable to a timechart.
Say i want to use the signatures of one day 2 years ago as my reference point and i want to compare if all the different objects had their original signature in the last week, binned daywise and by "object_name".
If you unterstand want i am trying to say.
Anyway my solution for now is
index=my_index name=* | stats latest(Signatur) as sig_c by name
|appendcols [
search index=my_index earliest="11/4/2019:08:00:00" latest="11/4/2019:18:00:00" name=*| stats latest(Signatur) as sig_o by name
]
| eval id = if(sig_o==sig_c, "iO", "niO")| table name id
And for the timechart
index=my_index name="001"| timechart span=1d latest(Signatur) as sig_c
|appendcols [
search index=my_index earliest="11/4/2020:08:00:00" latest="11/4/2020:10:00:00" name="001"| stats latest(Signatur) as sig_o
]
| filldown sig_o
| eval id = if(sig_o==sig_c, 1, 0)| timechart span=1d values(id) as "iO/niO"But this does not support the desired groub by name yet.
How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.
Learn More or Register Now >
