×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
n3w4z4
Explorer
Member since: ‎09-11-2024
‎09-17-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎09-11-2024
Activity Feed
Topics I've Started
View All

Re: Timewrap command grouping by field

by in Splunk Search
‎09-16-2024 06:14 AM
‎09-16-2024 06:14 AM
Correct, it works now. Can you please edit your answer? I'll mark it as solution after that.   Thanks a lot! ... View more

Re: Timewrap command grouping by field

by in Splunk Search
‎09-16-2024 04:58 AM
‎09-16-2024 04:58 AM
Yes you are right, but I tried it correctly before that. What version of Splunk are you running? I'm on 9.1.1 and that's not how timewrap names the columns for me.   _time event_count_1week_before event_count_latest_week XXXX YYYY ZZZZ     That's how it does it. If I have an span of more than 2 weeks then it will create another column ended like *_2weeks_before   So I changed it to something like this but still, empty output.   | tstats prestats=t `summariesonly` count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time Web.site span=10m | timechart span=10m count as event_count by Web.site useother=false limit=5 |timewrap 1w | foreach *_latest_week [ eval <<MATCHSTR>>_combined=<<MATCHSTR>>_latest_week."|".<<MATCHSTR>>_1week_before_week ] | fields _time *_combined | untable _time Web.series values | eval values=split(values,"|") | eval old=mvindex(values,0), new=mvindex(values,1) | fields - values   ... View more

Re: Timewrap command grouping by field

by in Splunk Search
‎09-16-2024 02:42 AM
‎09-16-2024 02:42 AM
Thanks for your answer. Running it like you provided it (plus adding the timewrap I think you forgot) It doesn't provide any output, I removed the last where just to troubleshoot it. I tried replacing your s0 and s1like this but it but again output is empty.   | tstats prestats=t `summariesonly` count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time Web.site span=10m | timechart span=10m count as event_count by Web.site useother=false limit=0 |timewrap 1w | foreach *_ [ eval <<MATCHSTR>>_combined=<<MATCHSTR>>_latest_week."|".<<MATCHSTR>>_1week_before_week ] | fields _time *_combined | untable _time Web.series values | eval values=split(values,"|") | eval old=mvindex(values,0), new=mvindex(values,1) | fields - values   It looks like a complex workaround for something that sounds like a pretty standard use case to me. Do you know any other simpler way of doing this?   Thanks again!   ... View more

Re: Timewrap command grouping by field

by in Splunk Search
‎09-12-2024 06:17 AM
‎09-12-2024 06:17 AM
Thanks a lot for your answer. You are right; however, I feel this doesn't scale up well when you have too many values since it will generate "Number of Web.Site unique values" * 2 columns.... which pretty much breaks the browser. Additionally, now that I have columns with this pattern : WebSiteExample1.event_count_1week_before, ... etc. How could I write an expression like the one I had so I only filter the values where the difference between this week and the previous one is more than X percent?   I don't see an easy way to compare chunks of X minutes of data against the same time but 1 week ago. Timewrap seemed perfect for that use case but looks like it's designed only for graphical representation.   ... View more

Timewrap command grouping by field

by in Splunk Search
‎09-11-2024 10:03 AM
‎09-11-2024 10:03 AM
Hello,   I've seen many others in this forum trying to achieve something similar to what I'm trying to do but I didn't find an answer that completely satisfied me. This is the Use Case: I want to compare the number of requests received by our Web Proxy with the same period in the last week. Then I want to filter out any increase lower than X percent.   This is how I've tried to implement it using the timewrap and it's pretty close to what I want to achieve. Only problem is that the timewrap command only seems to work fine if I only group by _time.     | tstats `summariesonly` count as event_count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time span=10m | timewrap 1w | where _time >= relative_time(now(), "-60m") | where (event_count_latest_week - event_count_1week_before) > 0 | where (((event_count_latest_week - event_count_1week_before)/event_count_latest_week)*100) >= 40     This gives me a result like this. _time event_count_1week_before_week event_count_latest_week XXXX YYYY ZZZZ     If I try to do something similar but grouping by the name of the web site that it's being accesed in the tstats command then timewrap command doesn't work for me anymore. It outputs just the latest values of 1 of the web sites.       | tstats `summariesonly` count as event_count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time Web.site span=10m | timewrap 1w | where _time >= relative_time(now(), "-60m") | where (event_count_latest_week - event_count_1week_before) > 0 | where (((event_count_latest_week - event_count_1week_before)/event_count_latest_week)*100) >= 40       That doesn't work. Do you know why that happens and how can I achieve what I want?     Many thanks.   Kind regards.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-17-2024 08:43 AM
Karma given to
View All