Comparing the 2 search results for a same search c...

Pravinraju · ‎05-09-2018

I need to compare the search results for my search criteria !

Example search criteria : host="iadtypweb*" | stats dc(session_id) as sessioncount, values(session_id) as sessionname
(I can specify the time in the Time Filter for the search)

The search criteria provides me the result of distinct session id and its value with respect to the host value specified. If this search is done on Saturday , and when I require to search this for Sunday , I need to find the occurrences of the event that do not match with Saturday results !

So it is possible to do this ? Do we have any built in functionalities to do this ?

If so provide me the sample query.

renjith_nair · ‎05-09-2018

You can use sub searches for that http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchTutorial/Useasubsearch

your current search|search NOT [search results from yesterday]

Also you could think about summary indexing where you store all the data you have found in last few days and exclude it in the current search ,

Reference : https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usesummaryindexing

Happy Splunking!

Comparing the 2 search results for a same search criteria and provide the data that do not match those 2 search results [Search done on different time]

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life