Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Checking when a field value has changed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rleyba828
Explorer
12-21-2019
02:57 AM
Hi team, I have a highly simplified set of log entries similar to the sample data below:
|makeresults |eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1"
|append [| makeresults |eval dummy= "Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"]
Could someone point me to the SPL query that could show me which user(s) have upgraded their "Client_version" and when? I basically need to track when a field value for a particular user has changed.
In the example set above, I want an output (table or graphs) that shows User1:Dec 12 05:07:53 , User2:Dec 14 08:43:48, User3:Dec 15 08:44:48 and User4:Dec 16 18:45:48
User5 won't show up as his "Client_version" field has not updated.
And in the case of User1, he has logged in multiple times, but I need to see only the timestamp when his "Client_version" field has changed.
Thanks very much.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-21-2019
06:13 PM
| makeresults
| eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1
Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1
Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1
Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1
Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1
Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2
Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2
Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2
Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2
Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2
Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2
Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2
Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"
| makemv delim="
" dummy
| mvexpand dummy
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "From here, the logic"
| rex field=dummy "(?<time>^.+) (?<system>system\d) User_name: (?<user_name>.+?) Client_version: (?<client_version>.+)"
| eval _time=strptime(time,"%B %d %T")
| table _time system user_name client_version
| streamstats dc(client_version) as session by user_name
| stats earliest(_time) as _time by session user_name
| where session > 1
Hi, @rleyba828
How about this?
and try makemv and mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-21-2019
06:13 PM
| makeresults
| eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1
Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1
Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1
Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1
Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1
Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2
Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2
Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2
Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2
Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2
Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2
Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2
Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"
| makemv delim="
" dummy
| mvexpand dummy
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "From here, the logic"
| rex field=dummy "(?<time>^.+) (?<system>system\d) User_name: (?<user_name>.+?) Client_version: (?<client_version>.+)"
| eval _time=strptime(time,"%B %d %T")
| table _time system user_name client_version
| streamstats dc(client_version) as session by user_name
| stats earliest(_time) as _time by session user_name
| where session > 1
Hi, @rleyba828
How about this?
and try makemv and mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rleyba828
Explorer
12-22-2019
04:27 AM
Excellent! I tried this on my live data, and the logic worked. Thanks very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-22-2019
05:29 AM
you are welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
qman
Engager
08-18-2020
07:52 AM
Hi!
I have a similar issue. I want to check if a url classification of the proxy has changed.
Could anybody explain exactly what was done in that search? I don't get it.
In detail my issue is like:
I have a url that is classified as malicious and all traffic to there is blocked. But maybe 2 or 3 days before the url wasn't classified as malicious and so users were able to get to the site. So I need a search which checks if the classification changed within the last few days.
Any ideas?
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
