https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118282#M31570 <P>I don't understand your question so do go back around and spell it out more clearly. Sample data would help.</P> Mon, 13 Jul 2015 19:25:27 GMT woodcock 2015-07-13T19:25:27Z https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118281#M31569 <P>I want to see what is new for the past two weeks, that hasn't been seen in the past. The only part of the search that would change is the time frame.</P> <P>earlist=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count| head 10<BR /> Gives me a table of top ten names between two and four weeks ago.<BR /> The name field updates on a weekly basis, sometimes more often. Nothing from the name field would be deleted.</P> <P>I'm looking to compare the top 10 results and a complete list of what is new in the past two weeks.</P> <P>I have searched through other answers, but not having any luck getting a working search.</P> <P>Thank you</P> Mon, 13 Jul 2015 17:27:39 GMT https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118281#M31569 craigmueller 2015-07-13T17:27:39Z https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118282#M31570 <P>I don't understand your question so do go back around and spell it out more clearly. Sample data would help.</P> Mon, 13 Jul 2015 19:25:27 GMT https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118282#M31570 woodcock 2015-07-13T19:25:27Z https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118283#M31571 <P>Let's say I run this search, earliest=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count | head 10<BR /> Results are -<BR /> Endpoint 6434272<BR /> URL 2499463<BR /> RPC 2428255<BR /> HTTP 299502<BR /> Login 180736<BR /> enumeration 170613<BR /> SMB 167128<BR /> NetBIOS 165573<BR /> user 92934<BR /> Buffer 54541</P> <P>I run the same search, just with the earlier time frame, earliest=-2w latest=-d index=int sourcetype=threat | stats count by name | sort -count | head 10<BR /> Results are - <BR /> Endpoint 7449314<BR /> SMB 2699952<BR /> URL 2489496<BR /> enumeration 503045<BR /> Options 332335<BR /> MP4 295500<BR /> Adobe 243639<BR /> NetBIOS 178598<BR /> Microsoft 139980<BR /> SIP 39992</P> <P>You can see there is some overlap between the two searches and that is was I am wanting to omit. I am only wanting to see what is new when comparing the past two weeks vs an older time frame.</P> Mon, 13 Jul 2015 19:54:51 GMT https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118283#M31571 craigmueller 2015-07-13T19:54:51Z https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118284#M31572 <P>This might work:</P> <P>earliest=-2w latest=-d index=int sourcetype=threat NOT [search earliest=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count | head 10 | table name ] | stats count by name | sort -count | head 10 | table name</P> Mon, 13 Jul 2015 20:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118284#M31572 sk314 2015-07-13T20:08:16Z https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118285#M31573 <P>Based on your clarification, maybe like this:</P> <PRE><CODE>earlist=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count| head 10 | eval type=older | append [earlist=-2w latest=-d index=int sourcetype=threat | stats count by name | sort -count| head 10 | eval type=newer] | eventstats dc(type) as numTypes by name | where numTypes=1 and type="newer" </CODE></PRE> Mon, 13 Jul 2015 23:29:04 GMT https://community.splunk.com/t5/Splunk-Search/Compare-One-Field-over-Two-Times/m-p/118285#M31573 woodcock 2015-07-13T23:29:04Z