https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/514716#M144867 <P>Hi!</P><P>I have a similar issue. I want to check if a url classification of the proxy has changed.</P><P>Could anybody explain exactly what was done in that search? I don't get it.</P><P>In detail my issue is like:</P><P>I have a url that is classified as malicious and all traffic to there is blocked. But maybe 2 or 3 days before the url wasn't classified as malicious and so users were able to get to the site. So I need a search which checks if the classification changed within the last few days.</P><P>&nbsp;</P><P>Any ideas?</P> Tue, 18 Aug 2020 14:52:04 GMT qman 2020-08-18T14:52:04Z https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468863#M144863 <P>Hi team, I have a highly simplified set of log entries similar to the sample data below:</P> <PRE><CODE>|makeresults |eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1" |append [| makeresults |eval dummy= "Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1"] |append [| makeresults |eval dummy= "Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1"] |append [| makeresults |eval dummy= "Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1"] |append [| makeresults |eval dummy= "Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1"] |append [| makeresults |eval dummy= "Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2"] |append [| makeresults |eval dummy= "Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"] </CODE></PRE> <P>Could someone point me to the SPL query that could show me which user(s) have upgraded their "Client_version" and when? I basically need to track when a field value for a particular user has changed.<BR /> In the example set above, I want an output (table or graphs) that shows User1:Dec 12 05:07:53 , User2:Dec 14 08:43:48, User3:Dec 15 08:44:48 and User4:Dec 16 18:45:48</P> <P>User5 won't show up as his "Client_version" field has not updated.</P> <P>And in the case of User1, he has logged in multiple times, but I need to see only the timestamp when his "Client_version" field has changed.</P> <P>Thanks very much.</P> Sat, 21 Dec 2019 10:57:29 GMT https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468863#M144863 rleyba828 2019-12-21T10:57:29Z https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468864#M144864 <PRE><CODE>| makeresults | eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1 Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1 Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1 Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1 Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1 Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2 Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2 Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2 Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2 Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2 Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2 Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2 Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1" | makemv delim=" " dummy | mvexpand dummy | rename COMMENT as "this is sample you provide" | rename COMMENT as "From here, the logic" | rex field=dummy "(?&lt;time&gt;^.+) (?&lt;system&gt;system\d) User_name: (?&lt;user_name&gt;.+?) Client_version: (?&lt;client_version&gt;.+)" | eval _time=strptime(time,"%B %d %T") | table _time system user_name client_version | streamstats dc(client_version) as session by user_name | stats earliest(_time) as _time by session user_name | where session &gt; 1 </CODE></PRE> <P>Hi, @rleyba828<BR /> How about this?<BR /> and try <CODE>makemv</CODE> and <CODE>mvexpand</CODE></P> Sun, 22 Dec 2019 02:13:12 GMT https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468864#M144864 to4kawa 2019-12-22T02:13:12Z https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468865#M144865 <P>Excellent! I tried this on my live data, and the logic worked. Thanks very much.</P> Sun, 22 Dec 2019 12:27:19 GMT https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468865#M144865 rleyba828 2019-12-22T12:27:19Z https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468866#M144866 <P>you are welcome</P> Sun, 22 Dec 2019 13:29:02 GMT https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/468866#M144866 to4kawa 2019-12-22T13:29:02Z https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/514716#M144867 <P>Hi!</P><P>I have a similar issue. I want to check if a url classification of the proxy has changed.</P><P>Could anybody explain exactly what was done in that search? I don't get it.</P><P>In detail my issue is like:</P><P>I have a url that is classified as malicious and all traffic to there is blocked. But maybe 2 or 3 days before the url wasn't classified as malicious and so users were able to get to the site. So I need a search which checks if the classification changed within the last few days.</P><P>&nbsp;</P><P>Any ideas?</P> Tue, 18 Aug 2020 14:52:04 GMT https://community.splunk.com/t5/Splunk-Search/Checking-when-a-field-value-has-changed/m-p/514716#M144867 qman 2020-08-18T14:52:04Z