Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate how many IPs changed since last week

Regengott
New Member
‎07-12-2013 05:49 AM

I have a bunch of log files from a honeypot. In this logfiles, I have IP-Adresses which appear almost every day and some of them change. Now I'd like to see on a per week basis how many new IPs dropping in the pot.

Just to make my analysis problem clear

IPs in week 1

1.2.3.4

2.3.4.5

3.4.5.6

IPs in week 2

1.2.3.4

2.3.4.5

3.4.5.6

9.9.9.9

The result would be "1 IP added since last week"

Tags (2)
0 Karma
Reply

bmunson_splunk
Splunk Employee
Splunk Employee
‎07-12-2013 06:17 AM

You need to do a subsearch and use the boolean NOT to exclude those results.

source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d  source=mylogs | stats count by src_ip | fields src_ip ] | stats dc(src_ip) as "New IP's this week"

If you are regularly doing this and have a lot of data, you might want to schedule the subsearch to speed this up.

edited to add the command "search" above and modify output

Reply

Regengott
New Member
‎07-12-2013 07:17 AM

/me = newbie 🙂 Thx - now I got a result, I need to interpret it, wether it is what I want

0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎07-12-2013 06:39 AM

he just forgot to put the search command. Add the word search before earliest. ie:
source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d .....

0 Karma
Reply

Regengott
New Member
‎07-12-2013 06:25 AM

Thx for quick response, but unfortunately I got an error "Unknown search command 'earliest'". Perhaps I should have mentioned I used the free version 5.0.3?

0 Karma
Reply

linu1988
Champion
‎07-12-2013 05:59 AM

use join to see the difference

Index=blah earliest=-1w@W|stats count as LastCount|join host[Index=blah earliest=-0w@W|stats count as Latest]|table host,LastCount,Latest|eval Difference=Latest-LastCount

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...