Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare events that are a minimum time range apart.

hems03
New Member
‎07-12-2018 01:33 PM

I need to calculate the difference between a field in the most recent event with a given account_id and the latest event that is atleast a week before this one. 

 06/24/2018 02:45:57 PM
 AccountId=foo
 LogName=Security
 COMPARED_FIELD=0
 EventCode=4624
 EventType=0
 Type=Information 
 host=host1

 07/01/2018 03:45:57 PM
 AccountId=foo
 LogName=Security
 COMPARED_FIELD=1
 EventCode=4624
 EventType=0
 Type=Information 
 host=host1

We want to see if this field changes over the span of a week. What would be the best way of doing this?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-12-2018 02:31 PM

Like this:

Your Base Search Here
| streamstats time_window=7d values(COMPARED_FIELD) dc(COMPARED_FIELD) num_values range(COMPARED_FIELD) BY AccountId
| where num_values>1
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...