topic Re: How to compare most recent results with previous search results? in Splunk Search

How to compare most recent results with previous search results?

vinchakov_a — Wed, 30 Jul 2014 08:42:00 GMT

Open ports are check every 5 minutes.

index=os sourcetype=openPorts host=myhost earliest = -5m@m

udp      123
udp     1514
udp     1506
udp     1505
udp     1504
udp     1503
udp     1502
udp     1501
udp      514
udp      123
udp      123
udp      123
udp      631
tcp     8000
tcp     8089
tcp       22
tcp     9997

Is it possible to compare the most recent values with the previous results?

Re: How to compare most recent results with previous search results?

somesoni2 — Thu, 31 Jul 2014 14:19:31 GMT

Something like this

|set diff [search index=os sourcetype=openPorts host=myhost earliest = -5m@m][index=os sourcetype=openPorts host=myhost earliest = -10m@m latest=-5m@m]

Add "|table <>" to both the subsearches to better results.
There could be more better approach to this but you need to provide more details on the data, comparison you want to do to arrive on one.

Re: How to compare most recent results with previous search results?

vinchakov_a — Fri, 01 Aug 2014 03:31:36 GMT

Thank you!

Re: How to compare most recent results with previous search results?

vinchakov_a — Fri, 01 Aug 2014 03:39:56 GMT

It's work:

| set diff [ | search index=os sourcetype=openPorts host=host1 earliest = -5m@m | dedup Port | table Port][ | search index=os sourcetype=openPorts host=host2 earliest = -10m@m latest=-6m@m | dedup Port | table Port]

And I recieve: No results found.

The following step a cycle of all hosts. It is real? I don't want to write alert on each host separately.