Splunk Search

Find all newer events logged by application after a certain date

New Member

Question: How can we find diff between log statements before and after a given date. 
Applicability:  Let's say we release a new application code and I want to be able to see all new events that application has started logging. 

Now definition of new is very vague here but any suggestion would help.  Idea is that splunk should be able to compare type of events were being logged earlier and only show new events that were not present before. 

That would help finding any new Exceptions Errors or Warning that are being logged and not yet surfaced as a failed customer interaction. 

Example:  After a new code release,  our application started logging an WARN event regarding "open file handlers" that kept building up over the time and ultimately reached a stage where no more unix file handlers were available to process any new request. 

Labels (1)
0 Karma


You could try dedup which will pick the first occurrence of each value so any occurrence that is after the release date must be new to that release

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...