Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can I use a diff command to compare which Windows ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I use a diff command to compare which Windows host values are logging week over week?
I am in need of assistance/guidance in creating a query that will compare the windows logging hosts from previous week against those that are logging this week. It will than output the host values that were not logging last week but are logging this week. I believe a diff command can be used here. Not sure if their are additional commands that can be used.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The |set diff command is something I avoid, because you can't tell which file the record might be present in or missing from.
If you are trying to detect hosts that first logged in the last week, and never before that, then just use this
| metadata type=hosts | where firstTime>now()-68400
If you need something more complex, then read on...
This command will get you the last time that a host logged in each week.
| tstats latest(_time) as lastTime by host _time span=1w
If you only want to see logging to a particular index, you can also do this
| tstats latest(_time) as lastTime where index=windowsFoo by host _time span=1w
Whether those are the best ways to get the data will depend a lot on your installation. If you have any summary indexes that have the data to create the list of hosts, go to them first.
Once you have the lists, you really only need the host name and the _time (which has been binned to the first day of each week.)
| table _time host
| stats values(_time) as mytimes by host
| eventstats max(mytimes) as maxtime
| where mvcount(mytimes)<2
| rename COMMENT as "use this one to get the hosts which are new this week"
| where mytimes = maxtime
| rename COMMENT as "use this one to get the hosts which disappeared this week"
| where mytimes = maxtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i just used this query:
| tstats latest(_time) as lastTime where index=windows* by host _time span=1w
| table _time host
| stats values(_time) as mytimes by host
| eventstats max(mytimes) as maxtime
| where mvcount(mytimes)<2
| rename COMMENT as "use this one to get the hosts which disappeared this week"
| where mytimes = maxtime
However, i still see hosts that are currently logging this week.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
