Solved: Re: Compare two time frames with the same search

Orangebottle76 · ‎02-07-2023

So I have a search I run for an alert which looks for a missing event, it's a simple tstats that shows stuff within the last 30 days I would like to compare the 90 days variant in the same search and determine the missing events.

Any ideas?

yuanliu · ‎02-08-2023

In that case, host field is "eventID"

View solution in original post

yuanliu · ‎02-07-2023

First of all, be careful with the word "event" when talking about Splunk search because if you use tstats, you cannot retrieve what Splunk defines as an "event". So, I assume that your events carries an identifying field, say "eventID", and that you want to find which eventID's exist in the 90-day search but not in the 30-day search. Is this correct?

For this, you can do something like

| tstats count where earliest=-30d by eventID
| eval thisis = "30day"
| append
    [| tstats count where earliest=-90d by eventID
    | eval thisis = "90day"]
| stats values(thisis) as thisis by eventID
| where mvcount(thisis) == 1 AND thisis == "90day"

Hope this helps.

Orangebottle76 · ‎02-08-2023

Hi,

thanks for the reply! I am doing it for hosts to see which are missing.

yuanliu · ‎02-08-2023

In that case, host field is "eventID"

Comparing two time frames with the same search?

chart

subsearch

tstats

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services