Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How I compare multivalued fields over time?

jambajuice
Communicator
‎01-20-2011 08:48 PM

I perform a search that has results like the following where dest_port is a multivalued field:

There are three fields in the results: _time, dest_ip, and dest_port. The results look like:

1/1/11, 192.168.2.200, 80 139 445 8000 9997 (the dest_port field is multivalued)

1/8/11, 192.168.2.200, 22 443 139 445 9997

So, in this example, after one week, ports 80 and 8000 were not present in the results and ports 443 and 22 newly appeared.

How do I write a search that will list the ports that are present in the first event but not the second? How do I write a search that will list the ports that are present in the second event and not in the first event?

The search results will contain multiple events, so I don't think the diff command will work since you have to statically define pos1 and pos2. I can use the dedup command to ensure that only the two most recent events for each host are present in the search results, but I don't know how to compare the contents of the multi-value dest_port field by dest_ip.

Thanks!

Craig

Tags (2)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-04-2011 03:38 AM

I believe your answer is here: http://answers.splunk.com/questions/11287/comparing-multivalue-fields

Reply

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 11:38 PM

It's definitely some tricky country you're getting into but I would look at the mvexpand command. I feel like there's a way to mvexpand the port field and then just use dedup and/or stats to get your answer. I'll try and write more if i have another free moment.

Reply

jambajuice
Communicator
‎01-20-2011 11:39 PM

Thanks, Nick. I appreciate it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...