https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386836#M169513 <P>Thanks, I appreciate the help. </P> Wed, 09 May 2018 20:10:17 GMT bscavotto 2018-05-09T20:10:17Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386831#M169508 <P>I have a powershell script that audits some files and creates an Windows application event log with the filepaths of any matches in the Message field. It runs once per day and creates a single event log everyday. I only want the diff from one day to the next as new things are found. </P> <P>My query so far only gives me the split listing of the Message field contents and the count but how do I get it to only show me the new entries as compared to the previous day? </P> <P><CODE>sourcetype=WinEventLog:Application SourceName=MessageAudit |eval NewMessage=split(Message,"\\\\") |eval NewMessageCount=mvcount(NewMessage) |table NewMessage,NewMessageCount | search NewMessageCount&gt;3</CODE>6<BR /> (There are 36 consistent false positives)</P> <P>Thanks.</P> Wed, 09 May 2018 15:45:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386831#M169508 bscavotto 2018-05-09T15:45:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386832#M169509 <P>Perhaps the <CODE>diff</CODE> command would work here</P> <PRE><CODE>sourcetype=WinEventLog:Application SourceName=MessageAudit |eval NewMessage=split(Message,"\\\\") |eval NewMessageCount=mvcount(NewMessage) |table NewMessage,NewMessageCount| diff pos1=... pos2=... | search NewMessageCount&gt;36 </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Diff">https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Diff</A></P> Wed, 09 May 2018 17:49:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386832#M169509 skoelpin 2018-05-09T17:49:17Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386833#M169510 <P>Thanks, I've reviewed that document. I'm not clear on what would go into the pos1 and pos2 fields. </P> Wed, 09 May 2018 18:24:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386833#M169510 bscavotto 2018-05-09T18:24:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386834#M169511 <P>Plus, I'm not diffing data in the same output. This is output from each day separately. </P> Wed, 09 May 2018 18:35:14 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386834#M169511 bscavotto 2018-05-09T18:35:14Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386835#M169512 <P>Try like this</P> <PRE><CODE>sourcetype=WinEventLog:Application SourceName=MessageAudit earliest=-1d@d latest=now | fields _time Message |eval Message=split(Message,"\\\\") | mvexpand Message | stats values(_time) as time by Message | rename COMMENT as "Below line will filter results to show new paths that were received today" | whhere mvcount(time)=1 AND time&gt;=relative_time(now(),"@d") </CODE></PRE> Wed, 09 May 2018 19:24:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386835#M169512 somesoni2 2018-05-09T19:24:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386836#M169513 <P>Thanks, I appreciate the help. </P> Wed, 09 May 2018 20:10:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-show-the-difference-in-a-string-field-from-one-day-to/m-p/386836#M169513 bscavotto 2018-05-09T20:10:17Z