I am currently using this search string to determine the number of defects based but I would like to expand it so I can trend it over multiple weeks.
sourcetype="qualys" OSgroup=APPLE | stats count(eval(severity="4" or severity="5")) AS total_severity, dc(Hostname) AS total_devices | eval defects=(total_severity/total_devices)
The above string provides me the data for the time selected (which is generally the past 7 days).
What I would like to do it provide the defects for the current week, prior week, prior prior week, etc.
Thoughts?
A summary index will solve this problem.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Usesummaryindexing
Lp
Try
sourcetype="qualys" OSgroup=APPLE |
bucket _time span=7d |
stats count(eval(severity="4" or severity="5")) AS total_severity, dc(Hostname) AS total_devices by _time |
eval defects=(total_severity/total_devices)
and search over the past 28 days or whatever. This will bucket in 7-day periods, not Sun-Sat.
I also like dwaddle's answer, although I don't think that is the search that you want.
timechart
is your friend. You may want to rewrite your search some however. Something like this may get close:
sourcetype="qualys" OSgroup=APPLE ( severity=4 OR severity=5 )
| timechart span=1w count(severity),dc(Hostname) AS total_devices
| eval defects=(total_severity/total_devices)