Solved: How can I join these two tstats searches

tkw03 · ‎07-27-2020

The searches look like this in their base form

| tstats count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host
| tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host

I was trying something like this but I can't seem to get it just right:

| tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host
[| tstats append=true count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host prestats=true 
| stats count as newhost by host]

My goal is to find hosts that were not logging on the 9th that started on the 10th

thanks for the help!

richgalloway · ‎07-27-2020

The append command works.

| tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host
| append [| tstats count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host prestats=true 
| stats count as newhost by host]
| stats values(*) as * by host

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-27-2020

The append command works.

| tstats count where index=nix_os earliest=07/09/2020:00:00:00 latest=07/09/2020:23:59:59 by host
| append [| tstats count where index=nix_os earliest=07/10/2020:00:00:00 latest=07/10/2020:23:59:59 by host prestats=true 
| stats count as newhost by host]
| stats values(*) as * by host

---
If this reply helps you, Karma would be appreciated.

How can I join these two tstats searches

count

join

subsearch

tstats

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?