I have an application that logs compliance status as for various application resources as compliant or non-compliant every time an evaluation rule runs, and I'd like to chart the compliance trends over time. The problem is the evaluation rules don't run(and therefore log) consistently. Some are on a schedule, but some are triggered dynamically based on user actions within the application, so it could be a couple weeks before the eval rule fires and writes a log.
I can get the current status easily enough by querying for all compliance check logs over the last 45 days, and then using the first function to get the most recent log which represents the current compliance status of the resource. Something like this:
_sourceCategory=MyApp and "Compliance Evaluation"
| json field=_raw "Status" as compliance
| json field=_raw "Resource" as Resource
| first(compliance) as compliance,
That will give me the most current status for all resources that have had an evaluation run within the time range of my query. However, what I would like to do is timeslice this for every day, and be able to show the overall for the last month. A standard time slice won't cut it because that just slices the data by the day(assuming 1d timeslice), and the compliance status of a resource may not exist on any given day since the evaluation rule didn't fire and there is no log within the normal timeslice window.
The only solution I can think of is to take the above query, schedule it to run daily, looking back 45 days, and then write the results out to a saved list with the current date on it. I could then just query the list and chart the results. This technically works, however it seems a bit hackish and it also means I won't be able to produce a trend chart for about a month until after the scheduled query has been running for a month.
Is there a better way to do this?
Please sign in to leave a comment.