Solved: Compare results from same field

CyberWolf · ‎10-23-2024

I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different.

Example when result for a City is Miami and next hour or so in the same field for the City is Boston.

ITWhisperer · ‎10-23-2024

| streamstats latest(city) as previous current=f

CyberWolf

Thanks Everyone for fast response!

gcusello · ‎10-23-2024

I suppose that you want to check this for each Account_name, you could try with stats:

<your_search>
| iplocation src
| stats dc(city) AS city_count BY Account_name
| where city_count>1

use the Account_name field you have in your logs.

Ciao.

Giuseppe

ITWhisperer · ‎10-23-2024

| streamstats latest(city) as previous current=f

CyberWolf · ‎10-23-2024

It worked! thank you!

richgalloway · ‎10-23-2024

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

Compare results from same field