×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mikem
Explorer
Member since: ‎01-16-2023
‎01-17-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 3
Karma Received 3
Member Since ‎01-16-2023
Activity Feed
Topics I've Started
View All

Re: How to show eventstats over time?

by in Splunk Search
‎01-19-2023 05:44 AM
2 Karma
‎01-19-2023 05:44 AM
2 Karma
i walked thru this line by line   had to break up the total collection into | stats count(eval(source="rest://MSGraph Group1 Members")) as total1 count(eval(source="rest://MSGraph Group 2 Members")) as total2 count(eval(source="rest://MSGraph Group 3 Members")) as total3 count(eval(source="rest://MSGraph CL Users")) as current by _time id  | eval total=total1+total2+total3   ... View more

Re: How to show eventstats over time?

by in Splunk Search
‎01-18-2023 05:45 AM
1 Karma
‎01-18-2023 05:45 AM
1 Karma
i had thought this would work, and had tried something similar before using eventstats.   when I execute this nothing is returned. I am wondering if this is because the data is populated by API calls and the timestamps on the data are when the API call was executed.   the dedup is to cleanup if the API call was run more than once in a 24h period ... View more

How to show eventstats over time?

by in Splunk Search
‎01-17-2023 08:34 AM
‎01-17-2023 08:34 AM
i currently have a query that returns what I need for a single day.   ( index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*group*") OR (index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*User*") | where match(userPrincipalName,"domain name") or match(userPrincipalName,"domain name") | eventstats count by id | eventstats count(eval((source="rest://MSGraph Group1 Members" OR (source="rest://MSGraph Group 2 Members") or (source="rest://MSGraph Group 3 Members") ))) as total | eventstats count(eval(source="rest://MSGraph CL Users" AND count>1)) as current | dedup total, current | eval perc=round(current*100/total,1)."%" | eval missing=total-current | rename total as "In Scope Users" | rename current as "Current Users" | rename perc as "Percent Compliant" | rename missing as "Missing" | table "In Scope Users", "Current Users", "Missing", "Percent Compliant"   I am trying to make this show me a chart over the previous month that show me the daily result of the posted query.   I have tried many "solutions" from the web, but nothing has worked.  Any help is appreciated ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-17-2023 01:59 PM
Karma from
View All
Karma given to
View All