- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmbr
Explorer
08-21-2022
06:02 PM
How do I compare the values of the most recent event to the event before that and show only the difference?
In one example, I am looking at o365 management activity with multivalue fields.
I want to see the difference and know when a domain has been added to an inbound Spam Policy.
Here is my base search:
index=idm_o365 sourcetype=o365:management:activity Workload="Exchange" Operation="Set-HostedContentFilterPolicy"
| eval a=mvfind('Parameters{}.Name', "AllowedSenderDomains"), AllowedSenderDomains=mvindex('Parameters{}.Value', a)
| table _time user_email ObjectId AllowedSenderDomains | sort - _time
| eval a=mvfind('Parameters{}.Name', "AllowedSenderDomains"), AllowedSenderDomains=mvindex('Parameters{}.Value', a)
| table _time user_email ObjectId AllowedSenderDomains | sort - _time
The last two events will be this:
2022-08-15 00:00:00 user@example.com SpamPolicyName A.com;B.com;C.com
2022-08-10 00:00:00 user@example.com SpamPolicyName A.com;B.com
I would like to compare these two events and only show the difference, i.e. that "C.com" was added:
2022-08-15 00:00:00 user@example.com SpamPolicyName C.com
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
08-21-2022
06:53 PM
Using streamstats and mvmap.
| makeresults
| eval data=split("2022-08-15 00:00:00 user@example.com SpamPolicyName A.com;B.com;C.com,2022-08-10 00:00:00 user@example.com SpamPolicyName A.com;B.com", ",")
| mvexpand data
| rex field=data "(?<t>.{19}) (?<email>[^ ]*) (?<domains>.*)"
| eval _time=strptime(t, "%F %T")
| table _time email domains
``` Now here is what you need ```
``` Sort thenm in ascending time order ```
| sort _time
| eval domains=split(domains, ";")
``` Now copy previous date to later date ```
| streamstats window=1 current=f values(domains) as prev_domains
``` and remove 'first' event with no previous ```
| where isnotnull(prev_domains)
``` Now find additions ```
| eval additions=mvmap(domains, if(isnull(mvfind(prev_domains, domains)), domains, null()))
``` this will also find removals ```
| eval removals=mvmap(prev_domains, if(isnull(mvfind(domains, prev_domains)), prev_domains, null()))First part sets up your example. Note that this also finds any 'removals'. i.e. where latest data does NOT have domains from earlier date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
08-21-2022
06:53 PM
Using streamstats and mvmap.
| makeresults
| eval data=split("2022-08-15 00:00:00 user@example.com SpamPolicyName A.com;B.com;C.com,2022-08-10 00:00:00 user@example.com SpamPolicyName A.com;B.com", ",")
| mvexpand data
| rex field=data "(?<t>.{19}) (?<email>[^ ]*) (?<domains>.*)"
| eval _time=strptime(t, "%F %T")
| table _time email domains
``` Now here is what you need ```
``` Sort thenm in ascending time order ```
| sort _time
| eval domains=split(domains, ";")
``` Now copy previous date to later date ```
| streamstats window=1 current=f values(domains) as prev_domains
``` and remove 'first' event with no previous ```
| where isnotnull(prev_domains)
``` Now find additions ```
| eval additions=mvmap(domains, if(isnull(mvfind(prev_domains, domains)), domains, null()))
``` this will also find removals ```
| eval removals=mvmap(prev_domains, if(isnull(mvfind(domains, prev_domains)), prev_domains, null()))First part sets up your example. Note that this also finds any 'removals'. i.e. where latest data does NOT have domains from earlier date.
