https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/600774#M209115 <P>Hi all, I am trying to build a query that only shows the NEW results compared to yesterday.</P> <P>I would like to get some alert and data to show ONLY if the message/key is new today, compared to the results yesterday.</P> <P>for example:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{query} | stats count by key</LI-CODE> <P>&nbsp;</P> <P>Yesterday, the query returned - "key1", and "key2".</P> <P>| key&nbsp; &nbsp; | count |</P> <P>| key1 | 10&nbsp; &nbsp; &nbsp; &nbsp;|</P> <P>| key2 | 5&nbsp; &nbsp; &nbsp; &nbsp; |</P> <P>Today, there are some results returned - "key1", and "key3". I would like to get the count of "key3" only as it is new today and didn't show up yesterday.</P> <P>| key&nbsp; &nbsp; | count |</P> <P>| key3 | 15&nbsp; &nbsp; &nbsp; &nbsp;|</P> <P>Thanks in advance!</P> Mon, 13 Jun 2022 22:48:52 GMT winter0827 2022-06-13T22:48:52Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/600774#M209115 <P>Hi all, I am trying to build a query that only shows the NEW results compared to yesterday.</P> <P>I would like to get some alert and data to show ONLY if the message/key is new today, compared to the results yesterday.</P> <P>for example:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{query} | stats count by key</LI-CODE> <P>&nbsp;</P> <P>Yesterday, the query returned - "key1", and "key2".</P> <P>| key&nbsp; &nbsp; | count |</P> <P>| key1 | 10&nbsp; &nbsp; &nbsp; &nbsp;|</P> <P>| key2 | 5&nbsp; &nbsp; &nbsp; &nbsp; |</P> <P>Today, there are some results returned - "key1", and "key3". I would like to get the count of "key3" only as it is new today and didn't show up yesterday.</P> <P>| key&nbsp; &nbsp; | count |</P> <P>| key3 | 15&nbsp; &nbsp; &nbsp; &nbsp;|</P> <P>Thanks in advance!</P> Mon, 13 Jun 2022 22:48:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/600774#M209115 winter0827 2022-06-13T22:48:52Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/600781#M209120 <LI-CODE lang="markup">{query} | stats count values(date) as date by key | where mvcount(date) = 1 AND date = today</LI-CODE><P>Obviously, you will need to adjust for your real data and field names</P> Tue, 07 Jun 2022 05:25:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/600781#M209120 ITWhisperer 2022-06-07T05:25:31Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601622#M209379 <P>Thanks, that solves my problem.</P><P>A follow up: how can I compare the values in last 2 weeks and only show the new ones in this week?</P> Mon, 13 Jun 2022 22:48:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601622#M209379 winter0827 2022-06-13T22:48:08Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601644#M209386 <P>Please clarify what you are trying to do - is it just a matter of setting the timeframe and using a span of 1 week instead of 1 day?</P> Tue, 14 Jun 2022 05:23:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601644#M209386 ITWhisperer 2022-06-14T05:23:01Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601675#M209402 <P>firstly, I would like to compare day to day data. And list the count by key.</P><P>and then I want to expand the timeframe and compare the week by week, month by month data.&nbsp;</P><P>for both cases above, I want to know which values are NEW in last day/week/month.</P> Tue, 14 Jun 2022 08:10:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601675#M209402 winter0827 2022-06-14T08:10:04Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601676#M209403 <P>Bucket the time by the appropriate span and compare against the current bucket. Something like this</P><LI-CODE lang="markup">{query} | bin _time as date span=1w | eval today=relative_time(now(),"@w") | stats count values(date) as date by key | where mvcount(date) = 1 AND date = today</LI-CODE><LI-CODE lang="markup">{query} | bin _time as date span=1mon | eval today=relative_time(now(),"@mon") | stats count values(date) as date by key | where mvcount(date) = 1 AND date = today</LI-CODE><P>&nbsp;</P> Tue, 14 Jun 2022 08:18:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601676#M209403 ITWhisperer 2022-06-14T08:18:55Z https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601678#M209404 <P>Assuming there is no "date" field in your log, first line, day field recognizes your day(today or yesterday or 2 days ago ...) , then second line specifies distinct days and count by each key and finally query shows unique keys related to today(day=1)<BR /><SPAN>|&nbsp;eval&nbsp;day=round((now()-time)/86400,0)</SPAN><BR /><SPAN>| stats&nbsp;count,dc(day)&nbsp;as&nbsp;day_count by&nbsp;key</SPAN><BR /><SPAN>|&nbsp;where day_count =1&nbsp;AND&nbsp;day=1 AND count=1</SPAN></P> Tue, 14 Jun 2022 08:26:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-query-that-Only-shows-new-data-compared-to/m-p/601678#M209404 marysan 2022-06-14T08:26:02Z