- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Is it possible to create a variable that would...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the timechart below, is there a way to create variable that would trigger if a daily count dropped by a hundred?
Example if East Florida count dropped from 807-799, is there a way to write an case statement that would show a 1?
index=cmdb Owner_Contact!="IS&O" Owner_Contact!="UNDEFINED LOCATION" Owner_Contact!="SM&D"|table Name Owner_Contact SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time | eval divown=case(Owner_Contact="Tristar" OR Owner_Contact="North Florida" OR Owner_Contact="East Florida" OR Owner_Contact="San Antonio" OR Owner_Contact="Healthtrust","John" , Owner_Contact="North Texas" OR Owner_Contact="Mid America" OR Owner_Contact="Central & West Texas" OR Owner_Contact="Far West" OR Owner_Contact="Mountain","Jase",Owner_Contact="Capital" OR Owner_Contact="West Florida" OR Owner_Contact="Continental" OR Owner_Contact="South Atlantic","David",1=1,"None")|search divown="John" |search Owner_Contact!="None"| timechart span=1d dc(Name) as "servers" by Owner_Contact|
_time East Florida Healthtrust North Florida San Antonio Tristar
2017-01-03T00:00:00.000-0600 761 0 1232 809 889
2017-01-04T00:00:00.000-0600 807 0 1232 808 887
2017-01-05T00:00:00.000-0600 807 0 1232 808 888
2017-01-06T00:00:00.000-0600 806 0 1233 808 879
2017-01-07T00:00:00.000-0600 806 0 1233 808 879
2017-01-08T00:00:00.000-0600 0 0 0 0 0
2017-01-09T00:00:00.000-0600 810 20 1234 808 879
2017-01-10T00:00:00.000-0600 0 0 0 0 0
2017-01-11T00:00:00.000-0600 812 164 1232 833 876
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try looking into streamstats which evaluates data in order rather than in aggregate. you would need to generate a table of count by time and by owner (similar to your timechart but im not sure you can use timechart) and then use a streamstats command to say something like "previousDay = last(coundDay)" which will generate a new field in each event equal to the value of countDay in the previous event. then check if it dropped by 100 or more between events using "eval dropTriggered = if(previousDay - countDay > 99,1,0)". it is important that you sort by time before sending the data through streamstats so that the "last" command references the events in the correct order (chronological)
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
