Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

trend data from saved search

jmiddle1977
New Member
‎05-14-2014 06:11 AM

I have a saved search that looks at the previous 24 hours of data and pulls back a simple table with 4 values. Similar to below.

index=data profile_name="Workstations" | dedup src_ip | rangemap field=score Low=0-100,Medium=101-500,High=501-1000,Critical=1001-999999 | top limit=0 range

What i would like to do is to be able to see the trend of these values over time (3+ years) without having to query the 3 years worth of data.

My thought was to write the data to a lookup table each night with the date. Then, in a new search I could query that table to pull the trend over time. I'm having trouble finding a solution. if it matters, I do not have CLI access.

Thoughts? Thanks in advance

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2014 07:25 AM

What you want is a summary index. Run your daily saved search of the last 24 hours and save the 4 values to a summary index. Then you can search the SI for your trend. See http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Usesummaryindexing.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...