Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

trend data from saved search

jmiddle1977
New Member
‎05-14-2014 06:11 AM

I have a saved search that looks at the previous 24 hours of data and pulls back a simple table with 4 values. Similar to below.

index=data profile_name="Workstations" | dedup src_ip | rangemap field=score Low=0-100,Medium=101-500,High=501-1000,Critical=1001-999999 | top limit=0 range

What i would like to do is to be able to see the trend of these values over time (3+ years) without having to query the 3 years worth of data.

My thought was to write the data to a lookup table each night with the date. Then, in a new search I could query that table to pull the trend over time. I'm having trouble finding a solution. if it matters, I do not have CLI access.

Thoughts? Thanks in advance

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2014 07:25 AM

What you want is a summary index. Run your daily saved search of the last 24 hours and save the 4 values to a summary index. Then you can search the SI for your trend. See http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Usesummaryindexing.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...