Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How I compare multivalued fields over time?

jambajuice
Communicator
‎01-20-2011 08:48 PM

I perform a search that has results like the following where dest_port is a multivalued field:

There are three fields in the results: _time, dest_ip, and dest_port. The results look like:

1/1/11, 192.168.2.200, 80 139 445 8000 9997 (the dest_port field is multivalued)

1/8/11, 192.168.2.200, 22 443 139 445 9997

So, in this example, after one week, ports 80 and 8000 were not present in the results and ports 443 and 22 newly appeared.

How do I write a search that will list the ports that are present in the first event but not the second? How do I write a search that will list the ports that are present in the second event and not in the first event?

The search results will contain multiple events, so I don't think the diff command will work since you have to statically define pos1 and pos2. I can use the dedup command to ensure that only the two most recent events for each host are present in the search results, but I don't know how to compare the contents of the multi-value dest_port field by dest_ip.

Thanks!

Craig

Tags (2)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-04-2011 03:38 AM

I believe your answer is here: http://answers.splunk.com/questions/11287/comparing-multivalue-fields

Reply

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 11:38 PM

It's definitely some tricky country you're getting into but I would look at the mvexpand command. I feel like there's a way to mvexpand the port field and then just use dedup and/or stats to get your answer. I'll try and write more if i have another free moment.

Reply

jambajuice
Communicator
‎01-20-2011 11:39 PM

Thanks, Nick. I appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...