topic Re: How to count the the number of elements in a fields after performing a set difference against other events? in Splunk Search

How to count the the number of elements in a fields after performing a set difference against other events?

doksu — Mon, 29 Jun 2015 11:15:31 GMT

How could the number of elements in a tuple of fields be counted after performing a set difference against the other events?

A trivial example:

Fields: user, src, dest, app
EventA: (alice, host1, host3, sso)
EventB: (alice, host2, host3, sshd)
EventC: (alice, host1, host3, sshd)

The set difference of EventA and the other two events above would be the set: (sso) with a count of 1.

Using an imaginary stats function, it might look something like this:

... | eventstats setdiff(src dest app) as difference by user | eval count=mvcount(difference)

Re: How to count the the number of elements in a fields after performing a set difference against other events?

woodcock — Mon, 29 Jun 2015 15:29:22 GMT

Are you sure the answer to your example shouldn't be: (host2,sso)?

Re: How to count the the number of elements in a fields after performing a set difference against other events?

woodcock — Mon, 29 Jun 2015 15:44:41 GMT

Is this close enough?

 ... | eventstats mode(*) AS mode_* BY user | eval deviant_src=if((src==mode_src),null(),src) | eval deviant_dest=if((dest==mode_dest),null(),dest) | eval deviant_app=if((app==mode_app),null(),app) | stats values(deviant*) count(deviant*) BY user

Re: How to count the the number of elements in a fields after performing a set difference against other events?

doksu — Fri, 10 Jul 2015 10:24:59 GMT

Thanks for your answer woodcock. It's quite close and a really interesting answer but it looks like it would only apply the operation to the most common element for each field. Maybe I should submit an RFE?