Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare results from two timeframes and show differences?

mistydennis
Communicator
‎02-14-2023 01:51 PM

Hello Splunk experts - I am trying to create a query that shows the difference in results from two distinct time frames. 

Original search:

 

index=summary_nexpose
| table AssetName, cveID, Exposure
| mvcombine delim=",", cveID 
| nomv cveID 
| eval numberCVEs=mvcount(split(cveID,",")) 
| rename numberCVEs AS "Number of CVEs"

 

What I need to do is add two timeframes: results from 30 days ago vs. results from today, and then show the difference in events between those two timeframes.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 03:43 PM

So, Asset count * Exposure types = 68?

Not sure how you get 2584 rows from that stats command.

Anyway, so in your example, does the server1 row indicate that today has 1 CVE and 30 days ago there were none? How do you want to reflect 'difference'.

You can try something like this

...
| stats count values(cveID) as cveID by _time AssetName Exposure
| nomv cveID
| stats list(_time) as time list(*) as * by AssetName Exposure
| eval time=strftime(time, "%F %T")
| where mvcount(cveID)=1 OR mvindex(cveID, 0)!=mvindex(cveID,1)
| table AssetName cveID Exposure count

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mistydennis
Communicator
‎02-14-2023 02:41 PM

So that query gives me all the results from both days (2,584 rows). What I want to find out is how the results are different from both days. With my data set there should be 136 rows.

The desired outcome is a table that looks like this:

AssetNamecveIDExposureNumber of CVEs
server1cve1Internal1
server 2cve1, cve2, cve3Internal3
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 03:43 PM

So, Asset count * Exposure types = 68?

Not sure how you get 2584 rows from that stats command.

Anyway, so in your example, does the server1 row indicate that today has 1 CVE and 30 days ago there were none? How do you want to reflect 'difference'.

You can try something like this

...
| stats count values(cveID) as cveID by _time AssetName Exposure
| nomv cveID
| stats list(_time) as time list(*) as * by AssetName Exposure
| eval time=strftime(time, "%F %T")
| where mvcount(cveID)=1 OR mvindex(cveID, 0)!=mvindex(cveID,1)
| table AssetName cveID Exposure count

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 02:35 PM

Use 2 data set ranges. I am not sure what the idea is behind mvcombine and then splitting and counting, but does this start to work for you?

index=summary_nexpose (earliest=@d latest=now) OR  
                      (earliest=-30d@d latest=-29d@d)
| bin _time span=1d
| stats count(cveID) as "Number of CVEs" values(cveID) by _time AssetName, Exposure

Not sure what you want to do with your comparison. logic 

What do you want to see from a comparison - a table form or chart or...?

Do you want the two dates combined to both values on the same row?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...