Solved: Comparing differences in the same field depending ...

jo54 · ‎04-15-2024

I'll try to explain it with a basic example. As an output of a stats command I have:

detection

query

search1

google.com

yahoo.com

search2

google.com

bing.com

I want to get which queries are not being detected by both search1 and search 2. Or else, getting rid of the queries that are in both searches, either way work. Like ok, search1 is detecting yahoo.com whereas search2 isn't, and viceversa with bing.com

I thought about grouping by query instead of by search, the problem is I have dozens or even hundreds of queries.

Any thoughts? Cheers

marnall · ‎04-15-2024

You could stats count by query. Queries that are found by both detections will have count=2, while queries that are found by only one will have count=1. Then you can filter for count=1 to remove the hundreds of queries that are found by both detections.

| stats count by query
| where count = 1

View solution in original post

marnall · ‎04-15-2024

You could stats count by query. Queries that are found by both detections will have count=2, while queries that are found by only one will have count=1. Then you can filter for count=1 to remove the hundreds of queries that are found by both detections.

| stats count by query
| where count = 1

ITWhisperer · ‎04-15-2024

| stats count by query

Comparing differences in the same field depending on the row grouping field

stats

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?