Re: Compare the same search over two different tim...

iainp · ‎02-13-2024

I have a number of devices that send logs to Splunk.

I want to know when devices stop logging.

For this example search:

index="mydevices" logdesc="Something that speeds the search" | top limit=40 devicename

How can i find "devicename"s that have logged in the last week that haven't logged in the last 30 minutes?

if that makes sense.

Iain.

gcusello · ‎02-13-2024

Hi @iainp,

you could try something like this:

index="mydevices" logdesc="Something that speeds the search" earliest=-7d@d latest=now
| eval period=if(now()-_time<1800,"Last 30 minutes","Previous")
| stats 
   dc(period) AS period_count 
   values(period) AS period
   count
   BY devicename
| where period_count=1 period="Previous"
| table devicename

See my approach and adapt it to your Use Case.

Ciao.

Giuseppe

ITWhisperer · ‎02-13-2024

| stats latest(_time) as lasttime by devicename
| where now()-lasttime > 1800

Compare the same search over two different time periods

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation