topic Re: How to display differences week by week IP address data in Splunk Search

How to display differences week by week IP address data

balzac13dark — Sat, 05 Feb 2022 04:26:33 GMT

I'm splunk beginner.

I want to know which destination IP addresses are used on my enterprise infra by using firewall log and would like to display dest_ip result on 1st week then display only differences between 1st & 2nd week one and so on...

Can someone help which query Ii should use ?

Re: How to display differences week by week IP address data

PickleRick — Sat, 05 Feb 2022 07:13:56 GMT

It's not obvious what you mean by "difference". For example, if an IP was connected to in week 1 and 3 should it be listed in week 3 or not?

Re: How to display differences week by week IP address data

gcusello — Sat, 05 Feb 2022 07:24:01 GMT

Hi @balzac13dark,

yu could run something like this:

index=your_index earliest=-14d@d latest=@d | eval week=if(today()-_time<604400,"Second Week","First Week") | stats dc(week) AS dc_week values(week) AS week BY dest | eval week=if(dc_week=2,"Both Weeks", if(week="Second Week","Only Second Week","Only First Week")) | table dest week

Ciao.

Giuseppe

Re: How to display differences week by week IP address data

PickleRick — Sat, 05 Feb 2022 07:52:53 GMT

But what if you wanted to extend this to more weeks? 🙂

Re: How to display differences week by week IP address data

balzac13dark — Sun, 06 Feb 2022 05:57:14 GMT

thank you ! i tried but found below error.. would you help ?

The 'today' function is unsupported or undefined

My explanation was not clear. What i want was to display All dest IP result on first week then display IP not shown on first week as a second week result, then 3rd week, 4th week and so on...

Re: How to display differences week by week IP address data

gcusello — Sun, 06 Feb 2022 07:03:25 GMT

Hi @balzac13dark,

sorry I was confused, the function is now(), please try this:

index=your_index earliest=-14d@d latest=@d | eval week=if(now()-_time<604400,"Second Week","First Week") | stats dc(week) AS dc_week values(week) AS week BY dest | eval week=if(dc_week=2,"Both Weeks", if(week="Second Week","Only Second Week","Only First Week")) | table dest week

With this search you monitor the last two weeks events and you know if a dest is present only in the first wee, only in the secondo or both.

Ciao.

Giuseppe

Re: How to display differences week by week IP address data

balzac13dark — Mon, 07 Feb 2022 06:25:41 GMT

@gcusello
thank you so much !! it's working fine now. i could get results on last week & this week.

but if you could help me more below, it'd be highly appreciated.

* obtain day by day IP address difference reports for next 3month.

e.g.

day#1 result : IP a), b), c) -> IP a), b), c) are displayed

day#2 result : IP a), b), c), d) -> Only different than day#1 "IP d)" is displayed

day#3 result : IP a), b), d), e) -> Only different than day#1 & day#2 "IP e)" is displayed

day#4 result : IP b), d), e), f) -> Only different than day#1, day#2 & day#3 "IP f)" is displayed

and day#5, 6, 7 and so on...

Re: How to display differences week by week IP address data

gcusello — Mon, 07 Feb 2022 07:26:00 GMT

Hi @balzac13dark,

godd for you that the last answer was the right one!

about the new question, for the next time, please, open a new different question!

Anyway, let mew understand: you want to know the new IPs for each day respect the previous days, is it correct?

only one question: you spoke about three months as time priod, but probablt these thre months are the last three monts from the present day, is it correct?

In other words today, you count from the 7th of november, tomorrow from the 8th of november and so on, is it correct?

In this case, the only approach that I can think is to use a summary index:

you should schedule a search like my previous answer that runs every night ans saves results in a summary index, something like this:

Then you could run a search on the summary index:

index=summary_statistics | eval day=if(now()-_time<90000,"New","Already Present") | table IP status

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Re: How to display differences week by week IP address data

PickleRick — Mon, 07 Feb 2022 10:29:26 GMT

Ha! So that's the answer to my initial question.

You want only "incremental differences", not the "baseline differences". I'd go for something like this:

<your search>
| bin _time span=1d (or whatever you need)
| stats earliest(_time) as _time by ip
| stats values(ip) by _time
| sort _time