https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388322#M171036 <P>Hi @stevesmith08,</P> <P>You can use something like that if you want to add the date field : </P> <PRE><CODE>sourcetype=“scan_results” date=“2019-05-27” OR date=“2019-05-28” | stats dc(date) as condition values(date) as date by host, port, state | where condition &lt;2 </CODE></PRE> <P>Cheers,<BR /> David</P> Tue, 28 May 2019 07:22:02 GMT DavidHourani 2019-05-28T07:22:02Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388320#M171034 <P>Good day! I have two requests for different dates. I need to compare the results of the queries.</P> <P>The following comparison command works correctly:<BR /> | set diff<BR /> [search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state]<BR /> [search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state]</P> <P>But I need to add a field “date” to each result.</P> <P>In the end, I want to track changes in the status of ports for different scan dates.</P> <P>Could you help me, please?</P> <P>Thanks</P> Wed, 30 Sep 2020 00:41:15 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388320#M171034 stevesmith08 2020-09-30T00:41:15Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388321#M171035 <P>hi Steve<BR /> You already have got the "date" field in the event. You could add it straight away or am i not understanding the issue correctly?</P> <PRE><CODE>| set diff [search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state, date] [search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state, date] </CODE></PRE> <P>.</P> Tue, 28 May 2019 07:19:30 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388321#M171035 koshyk 2019-05-28T07:19:30Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388322#M171036 <P>Hi @stevesmith08,</P> <P>You can use something like that if you want to add the date field : </P> <PRE><CODE>sourcetype=“scan_results” date=“2019-05-27” OR date=“2019-05-28” | stats dc(date) as condition values(date) as date by host, port, state | where condition &lt;2 </CODE></PRE> <P>Cheers,<BR /> David</P> Tue, 28 May 2019 07:22:02 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388322#M171036 DavidHourani 2019-05-28T07:22:02Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388323#M171037 <P>If you explicitly specify the date in each subquery, the results they return differ in this field.</P> <P>I need to compare only fields “host”, “port”, “state”</P> Tue, 28 May 2019 07:24:19 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388323#M171037 stevesmith08 2019-05-28T07:24:19Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388324#M171038 <P>Thanks! it works correctly</P> Tue, 28 May 2019 07:27:36 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388324#M171038 stevesmith08 2019-05-28T07:27:36Z https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388325#M171039 <P>you're welcome !</P> Tue, 28 May 2019 07:30:03 GMT https://community.splunk.com/t5/Splunk-Search/compare-results-in-different-days/m-p/388325#M171039 DavidHourani 2019-05-28T07:30:03Z