Dashboards & Visualizations

Comparison for use with a trend line

bworrellZP
Communicator

I am trying to compare daily failed logins for a web app. The initial ask was they wanted to know how many failed Yesterday, as compared with the day before. Racking my head around the search, as no matter what I do, I seem to also get todays failed logins, which then does not show yesterday and the day before, but rather today and yesterday.

(index=web1 OR index=web2) AND LoginStatus=Failed
| stats first(*) as * by LoginAttemptID, index, _time
| table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus | eval earliestTime = relative_time(now(),"-2d@d")
| eval latestTime = relative_time(now(),"-0@d")
| where _time>=earliestTime AND _time<=latestTime
| timechart count as Total span="1d" fixedrange=false

I am sure its something silly, but any help is appreciated.

0 Karma
1 Solution

cmerriman
Super Champion

can you just put the earliest and latest into the base search?

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d@d latest=@d| stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus  | timechart count as Total span="1d" fixedrange=false

you could also try to use timewrap. | timechart count as Total span="1d" fixedrange=false|timewrap 1d

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

View solution in original post

mayurr98
Super Champion

hey try this

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d | stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus | timechart count span=1d | timewrap d | rename latest_day as today 1day_before as yesterday 2days_before as day_before_yesterday

let me know if this helps you!

bworrellZP
Communicator

This option still listed today in the list. Thank you for the suggestion though

0 Karma

mayurr98
Super Champion

oh then you do not need to use timewrap i thought you wanted to compare 3 days data so i put together all three 🙂 just use timechart as suggested by @cmerriman will also do!

0 Karma

cmerriman
Super Champion

can you just put the earliest and latest into the base search?

(index=web1 OR index=web2) AND LoginStatus=Failed earliest=-2d@d latest=@d| stats first(*) as * by LoginAttemptID, index, _time | table _time, date_wday, ClientID, UserIPAddress, GuarantorAccountEntry, tag, LoginAttemptID LoginStatus  | timechart count as Total span="1d" fixedrange=false

you could also try to use timewrap. | timechart count as Total span="1d" fixedrange=false|timewrap 1d

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

bworrellZP
Communicator

This worked, without the need for the timewrap. Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...