Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Checking when a field value has changed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rleyba828
Explorer
12-21-2019
02:57 AM
Hi team, I have a highly simplified set of log entries similar to the sample data below:
|makeresults |eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1"
|append [| makeresults |eval dummy= "Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"]
Could someone point me to the SPL query that could show me which user(s) have upgraded their "Client_version" and when? I basically need to track when a field value for a particular user has changed.
In the example set above, I want an output (table or graphs) that shows User1:Dec 12 05:07:53 , User2:Dec 14 08:43:48, User3:Dec 15 08:44:48 and User4:Dec 16 18:45:48
User5 won't show up as his "Client_version" field has not updated.
And in the case of User1, he has logged in multiple times, but I need to see only the timestamp when his "Client_version" field has changed.
Thanks very much.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-21-2019
06:13 PM
| makeresults
| eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1
Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1
Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1
Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1
Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1
Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2
Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2
Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2
Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2
Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2
Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2
Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2
Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"
| makemv delim="
" dummy
| mvexpand dummy
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "From here, the logic"
| rex field=dummy "(?<time>^.+) (?<system>system\d) User_name: (?<user_name>.+?) Client_version: (?<client_version>.+)"
| eval _time=strptime(time,"%B %d %T")
| table _time system user_name client_version
| streamstats dc(client_version) as session by user_name
| stats earliest(_time) as _time by session user_name
| where session > 1
Hi, @rleyba828
How about this?
and try makemv and mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-21-2019
06:13 PM
| makeresults
| eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1
Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1
Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1
Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1
Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1
Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2
Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2
Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2
Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2
Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2
Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2
Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2
Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"
| makemv delim="
" dummy
| mvexpand dummy
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "From here, the logic"
| rex field=dummy "(?<time>^.+) (?<system>system\d) User_name: (?<user_name>.+?) Client_version: (?<client_version>.+)"
| eval _time=strptime(time,"%B %d %T")
| table _time system user_name client_version
| streamstats dc(client_version) as session by user_name
| stats earliest(_time) as _time by session user_name
| where session > 1
Hi, @rleyba828
How about this?
and try makemv and mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rleyba828
Explorer
12-22-2019
04:27 AM
Excellent! I tried this on my live data, and the logic worked. Thanks very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-22-2019
05:29 AM
you are welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
qman
Engager
08-18-2020
07:52 AM
Hi!
I have a similar issue. I want to check if a url classification of the proxy has changed.
Could anybody explain exactly what was done in that search? I don't get it.
In detail my issue is like:
I have a url that is classified as malicious and all traffic to there is blocked. But maybe 2 or 3 days before the url wasn't classified as malicious and so users were able to get to the site. So I need a search which checks if the classification changed within the last few days.
Any ideas?
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...
