- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Change in total log volume
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I find the Change in total log volume (high risk rule or high risk source/destination) on every Monday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ntalwar, while you can do it only for Monday, but if you are comparing current day to last week same day that would be better. You can refer to the following blog for the same: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html
You also have a look at the Timewrap command introduced in Splunk 6.5 onward.
Try the following run anywhere dashboard (please note that commands like append and appendcols are subject to Sub Search limitations:
<dashboard>
<label>Today vs Last Week Same Day</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR" earliest=-0d@d latest=now
| timechart count as Today
| appendcols [search index=_internal sourcetype=splunkd log_level!="INFO" earliest=-7d@d latest=-7d@s
| timechart count as LastWeek]</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">LastWeek</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ntalwar, while you can do it only for Monday, but if you are comparing current day to last week same day that would be better. You can refer to the following blog for the same: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html
You also have a look at the Timewrap command introduced in Splunk 6.5 onward.
Try the following run anywhere dashboard (please note that commands like append and appendcols are subject to Sub Search limitations:
<dashboard>
<label>Today vs Last Week Same Day</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR" earliest=-0d@d latest=now
| timechart count as Today
| appendcols [search index=_internal sourcetype=splunkd log_level!="INFO" earliest=-7d@d latest=-7d@s
| timechart count as LastWeek]</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">LastWeek</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @ntalwar
If you want to compare only monday's data with the previous monday's data you can try..
<your_base_Search> date_wday="monday" | eval WeekNumber=strftime(_time, "%v") | stats count as log_volume by WeekNumber | sort- WeekNumber
you will get output like this-
WeekNumber | count
1-Jan-2018 | 4250
8-Jan-2018 | 11583
let me know if this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ntalwar, for the community to assist please add more details to your question. What is the kind of log you are monitoring (any specific Splunk App or is it Custom)? What do you mean by high risk rule, source/destination? Also on every Monday compared to what Sunday or previous Monday?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am monitoring the Palo Alto firewall logs and would like to calculate the change in volume of log on Monday as compared to previous Monday(I can add in source and destination IP for finding the change in volume in context to them)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HiroshiSatoh, I have converted your Answer to comment so that this question flags as unanswered!
| makeresults | eval message= "Happy Splunking!!!"
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
