Splunk Search

Plot search data into a static chart template

CarmineCalo
Path Finder

Splunkers!
Need your help again...

I need to plot the result of a standard events search into a static chart template, basically all the applications belonging to a specific domain vs Weeks in the observation period, see example below

AppID 2016-01 2016-02 2016-03 ...

App1
App2

The event search provide me only a subset of the combinations i have finally to plot in a table (all the empty combinations will be set to 1).

How can i do it?
My first idea was to append the the events all the list of AppIDs and timerange I need to plot, but:
1- I'm not able to do it (just leverage on the append function?)
2- It seems to me not a very clever idea...

Any help will be really appreciated,
tks in advance!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi CarmineCalo,
could you share few additional information?

  • Apps are few or many and changing?
  • why you cannot have in a search all the combinations, could you share your search?

Bye.
Giuseppe

0 Karma

CarmineCalo
Path Finder

Ciao Giuseppe, Apps are around 4k.
They evolve over the time, but i assume to manage their domain through a lookup (they can be considered static during the search).

The final plot of the search will look like something like this one (I need to evaluate App unavailability time)

| stats sum(incident_unavailability) as Unavailability by dateweek_year, AppID

Currently this search works pretty fine, but it reports only dateweek_year and AppIDs that are part of the events (e.g. only ~2k AppIDs vs 4k total), and in general I'd like to have the full picture also when selecting different time ranges (at least for AppIDs, while dateweek_year should be limited to the time range selected)
I want that the final stats would include the full domain of AppIDs and dateweek_year that i need to monitor.

Tks!
Carmine

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ciao Carmine,
If you have a full list of dateweek_year, AppID, you can build a lookup (e.g. my_lookup.csv) with all these values and then use a search like this:

your_main_search
| stats sum(incident_unavailability) as Unavailability by dateweek_year  AppID
| append [ | inputlookup my_lookup.csv | eval count=0 | fields dateweek_year AppID count ]
| stats sum(incident_unavailability) as Unavailability by dateweek_year  AppID

In this way Unavailability=0 means that you haven't events.
After you can filter your results to show all the results or only errors, you can also display results in graphic mode (use Splunk 7.x Dashboard Examples App).

Bye.
Giuseppe

0 Karma

CarmineCalo
Path Finder

Almost correct.
One more issue, domain for AppIDs and dateweek_year are in two different files.
How do i have to modify the append?

Last resort will be do create, manually, the permutation b/w AppIDs and dateweek_year and generate a new lookup table.

Tks in advance!
Carmine

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Carmine,
Let me understand: You have AppIDs and timerange in two tables and you want all the possible combination between the., is it correct?
The easiest way is to create a scheduled search to create Your lookup and then use the above search.
Bye.
Giuseppe

0 Karma

CarmineCalo
Path Finder

Correct, AppIDs and Timerange are in two different tables.

How can i combine the two domains?
I've no clue about the function to be called...

Tks!

Carmine

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...