Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you calculate the percentage based upon the selection made in filter?

sbhatnagar88
Path Finder
‎01-30-2019 04:57 AM

We have a dashboard panel which shows overall AV compliance % for windows servers.code is as below.

index=dbconnect sourcetype=dbconnect:sql:SCCM_AVCompliance_AllServers 
| table Name DC OU ResourceID SignatureUpTo1DayOld AntivirusSignatureAge AntivirusSignatureUpdateDateTime AntivirusSignatureVersion 
| rename Name as host 
| join host 
    [| inputlookup elixpediadashboardservers.csv 
    | search (host="*") Environment="*" 
    | search "Operating System"=WINDOWS] 
| append 
    [| inputlookup elixpediadashboardservers.csv 
    | search (host="*") Environment="*" 
    | search "Operating System"=WINDOWS] 
| dedup host  
| fillnull AntivirusSignatureAge Value=2 
| eval Compliance=if(AntivirusSignatureAge==0 OR AntivirusSignatureAge==1 ,"COMPLIANT","NONCOMPLIANT") 
| stats count(eval(Compliance=="COMPLIANT")) as compliant, count(eval(Compliance=="NONCOMPLIANT")) as noncompliant, count as total 
| eval AVUpdateCompliance=round((compliant/total)*100,2) 
| table AVUpdateCompliance

Now customer requirement is to add a filter on top of this panel, which shows last 4 months like
January 2019
December 2018
November 2018
October 2018

and this filter has already been created.

My query is...

How do i pass a month as a token in my query so that, if a user selects November 2018 from dropdown, then the panel should show AV % compliance only for the month of November.

Any help would be highly appreciable.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-30-2019 05:39 AM

@sbhatnagar88,

If the compliance information is indexed using the actual time of the event, add the token to base search 

index=dbconnect sourcetype=dbconnect:sql:SCCM_AVCompliance_AllServers |where strftime(_time,"%B %Y")="$your_token_value$" 
|rest of your search"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-30-2019 05:50 AM

Try with this: index=dbconnect sourcetype=dbconnect:sql:SCCM_AVCompliance_AllServers [| makeresults |eval time=$token|s$ | eval time="01 ".time| eval time2= strptime(time, "%d %B %Y") | eval time3 = relative_time(time2, "+1mon") | eval time3 = relative_time(time3, "-1d") | eval earliest=time2 | eval latest=time3 | return earliest, latest]

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-30-2019 05:39 AM

@sbhatnagar88,

If the compliance information is indexed using the actual time of the event, add the token to base search 

index=dbconnect sourcetype=dbconnect:sql:SCCM_AVCompliance_AllServers |where strftime(_time,"%B %Y")="$your_token_value$" 
|rest of your search"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

sbhatnagar88
Path Finder
‎01-31-2019 10:07 PM

That worked perfectly...Thank you much!!!

0 Karma
Reply
Solved! Jump to solution

sbhatnagar88
Path Finder
‎02-01-2019 01:47 AM

one more query..in case i want to pass latest month always in my token then how would i paas that?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-01-2019 04:14 AM

if you are looking for current month try strftime(now(),"%B %Y")
If you are always using latest month, you dont need a token , instead you can use it directly to the search

where strftime(_time,"%B %Y")=strftime(now(),"%B %Y")

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

sbhatnagar88
Path Finder
‎02-01-2019 04:22 AM

hi Renjith,

yes.Thanks.i got this one already but putting time filter on the index has made my searches/results very slow.Any idea about this?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...