Created
February 20, 2019 19:06
-
-
Save mirubid/2baca81857656a163b9657ccdb9d8d7f to your computer and use it in GitHub Desktop.
splunk query to compare day to day data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <init> | |
| <set token="query_format"></set> | |
| <set token="sourcetype_query">ClientAccountOperations</set> | |
| </init> | |
| <label>Compare By Day</label> | |
| <description>converts time ranges to over lapping days so that daily results can be directly compared</description> | |
| <search id="search"> | |
| <query> | |
| <![CDATA[ | |
| index=$index$ sourcetype IN ($sourcetypes$) ($searchfilter$) | |
| | rex field=_raw $extract_rex$ | |
| | fields $fields$ | |
| | eval | |
| rel_now=relative_time(now(), "-0d@d"), | |
| rel_time=relative_time(_time,"-0d@d"), | |
| days_ago = floor((rel_now-rel_time)/86400), | |
| _time = _time + days_ago * 86400, | |
| day_name=case(days_ago==0,"00 today",days_ago==1,"01 yesterday",1==1,days_ago." days ago") | |
| ]]> | |
| </query> | |
| <earliest>$timepicker.earliest$</earliest> | |
| <latest>$timepicker.latest$</latest> | |
| <sampleRatio>$sample_ratio$</sampleRatio> | |
| </search> | |
| <fieldset submitButton="false" autoRun="false"> | |
| <input type="text" token="searchfilter" searchWhenChanged="true"> | |
| <label>Search</label> | |
| <default>Exception</default> | |
| </input> | |
| <input type="dropdown" token="index"> | |
| <label>index</label> | |
| <choice value="app">app</choice> | |
| <choice value="iis">iis</choice> | |
| <choice value="database">db</choice> | |
| <default>app</default> | |
| <initialValue>app</initialValue> | |
| </input> | |
| <input type="multiselect" token="sourcetypes" searchWhenChanged="true"> | |
| <label>sourcetype</label> | |
| <choice value="*">any</choice> | |
| <choice value="ClientAccountOperations">ClientAccountOperations</choice> | |
| <choice value="iis">iis</choice> | |
| <choice value="account_management">account management</choice> | |
| <choice value="semanticexception">semanticexception</choice> | |
| <choice value="api_gateway_customer_acquisition">api_gateway_customer_acquisition</choice> | |
| <choice value="auth_release_processor">auth_release_processor</choice> | |
| <choice value="ClientInteractionService">ClientInteractionService</choice> | |
| <choice value="contact_verification">contact_verification</choice> | |
| <choice value="registration_post_pending_activations">registration_post_pending_activations</choice> | |
| <choice value="semanticloggingapi">semanticloggingapi</choice> | |
| <valuePrefix>"</valuePrefix> | |
| <valueSuffix>"</valueSuffix> | |
| <delimiter> ,</delimiter> | |
| <default>ClientAccountOperations</default> | |
| </input> | |
| <input type="time" token="timepicker" searchWhenChanged="true"> | |
| <label>time range</label> | |
| <default> | |
| <earliest>-3d@d</earliest> | |
| <latest>now</latest> | |
| </default> | |
| </input> | |
| <input type="dropdown" token="sample_ratio" searchWhenChanged="true"> | |
| <label>sample ratio</label> | |
| <choice value="1">1 (no sampling)</choice> | |
| <choice value="10">10</choice> | |
| <choice value="100">100</choice> | |
| <choice value="1000">1000</choice> | |
| <choice value="10000">10000</choice> | |
| <default>1</default> | |
| </input> | |
| <input type="text" token="fields"> | |
| <label>fields</label> | |
| <default>_time ProductSource ActivationRequestType Status COUNT</default> | |
| </input> | |
| <input type="text" token="aggregation"> | |
| <label>aggregation</label> | |
| <default>count</default> | |
| </input> | |
| <input type="text" token="timespan"> | |
| <label>time span</label> | |
| <default>1m</default> | |
| </input> | |
| <input type="text" token="extract_rex"> | |
| <label>Extract Regex</label> | |
| <prefix>"</prefix> | |
| <suffix>"</suffix> | |
| </input> | |
| </fieldset> | |
| <row> | |
| <panel> | |
| <html> | |
| <code>index=$index$ sourcetype IN ($sourcetypes$) ($searchfilter$)</code> | |
| <code depends="$extract$">$extract$</code> | |
| <code>| fields $fields$</code> | |
| <code>| timechart span=$timespan$ $aggregation$ by day_name</code> | |
| </html> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <single> | |
| <title>Total events</title> | |
| <search base="search"> | |
| <query>| stats count as count_total by day_name</query> | |
| </search> | |
| <option name="drilldown">none</option> | |
| <option name="height">58</option> | |
| <option name="trellis.enabled">1</option> | |
| <option name="trellis.size">small</option> | |
| <option name="charting.chart.resultTruncationLimit">10000</option> | |
| </single> | |
| <chart> | |
| <title>Events distribution ($aggregation$)</title> | |
| <search base="search"> | |
| <query>| timechart span=$timespan$ $aggregation$ by day_name | |
| | where _time > relative_time(now(),"-0d@d")</query> | |
| </search> | |
| <option name="charting.chart">column</option> | |
| <option name="charting.data.count">50000</option> | |
| <option name="charting.drilldown">none</option> | |
| <option name="charting.layout.splitSeries">1</option> | |
| <option name="height">419</option> | |
| </chart> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <event> | |
| <search base="search"> | |
| <query>|fillnull value="--"</query> | |
| </search> | |
| <option name="list.drilldown">none</option> | |
| </event> | |
| </panel> | |
| </row> | |
| </form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment