Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding indentifier field to stats output

gyphawk
New Member
‎05-10-2017 09:22 AM

I have an index: base_data

The index has data added on a weekly basis. I would like to identify the
instances of field 'Ref' present in the previous week, but not present now (therefore they
have been removed); and to identify instances of 'Ref' that are present now but not the previous
week (therefore they are new this week).

I have managed a list of these previous and current 'Ref' values by using the following:

index=base_data earliest=-5d@w1 latest=@w6 | dedup Ref | table Ref| append [search
index=base_data earliest=@w0 | dedup Ref | table Ref] | stats count by Ref| where count < 2

Which returns a table with one column with a single instance of each Ref value that meets the
criteria.

Ref
ABC1
ABC2
ABC3

However this does not tell me which rule / dataset the Ref has been identified in. My question is -
how do I modify the search to add in a field to identify this?

For example:

index=base_data earliest=-5d@w1 latest=@w6 would be considered PreviousWeek

index=base_data earliest=@w0 would be considered CurrentWeek

to return something along the lines of

Ref | Source
ABC1 | PreviousWeek
ABC2 | PreviousWeek
ABC3 | CurrentWeek

To identify which criteria of previous/current the Ref has come from.

Many thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-10-2017 11:43 AM

Give this a try

index=base_data earliest=-1w@w1 latest=now 
| eval period=if(_time<relative_time(now(),"@w0"),"LastWeek","ThisWeek")
| chart count over Ref by period
| eval result=case(LastWeek=0 AND ThisWeek>0,"Newly Added", LastWeek>0 AND ThisWeek=0,"Removed", true(),"")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-10-2017 11:43 AM

Give this a try

index=base_data earliest=-1w@w1 latest=now 
| eval period=if(_time<relative_time(now(),"@w0"),"LastWeek","ThisWeek")
| chart count over Ref by period
| eval result=case(LastWeek=0 AND ThisWeek>0,"Newly Added", LastWeek>0 AND ThisWeek=0,"Removed", true(),"")
Reply
Solved! Jump to solution

gyphawk
New Member
‎05-10-2017 12:36 PM

That works a treat thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...