Splunk Search

How do I find events that appear today that did not appear yesterday?

Communicator

I am trying to identify events that occur in events collected today that did not happen yesterday, I looked at the delta and diff command but I think I am missing something. I understand this is question is somewhat vague however hopefully someone can point me in the right direction.
Thank you,

Tags (5)
1 Solution

Path Finder

You might want to look at subsearches.

For example, look at this search query:


source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.

So to get the opposite effect:

source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.

Do be careful with Subsearches, however, as they can severely impact system performance.

Anyway, I hope that gets you in the right direction.

View solution in original post

New Member

Another possible approach that doesn't require a subsearch. Use if to set a variable to 1 if the time is within the last day and 0 if it is older. Sum the variable to get a count of events that happened in the last 24 hours and count all the events. If all of the events are new (AllCount=NewCount), then the event has only happened in the last 24 hours.

Example:
table time host Code |
eval cutOffTime=relative
time(now(),"-24h"), New=if (_time>cutOffTime,1,0) |
stats sum(New) as NewCount count as AllCount by host Code |
where AllCount = NewCount

0 Karma

Explorer

I use dedup instead of subsearches to identify New (over 'All time' range) or Infrequent (over 'Last X days' range) event types, for example:

sourcetype=WinEventLog* | dedup host, LogName, SourceName, EventCode sortby +_time | eval epochevent=_time | eval epochwindow=relative_time(now(), "-1d" ) | where epochevent>=epochwindow | table host, LogName, SourceName, EventCode, Message, _time

Change "-1d" in the search to narrow or broaden the differential range and schedule your alert to the same frequency.

0 Karma

Communicator
0 Karma

Path Finder

I downvoted this post because answer just links back to the question..

0 Karma

SplunkTrust
SplunkTrust

I think three identical comments 2.5 years later is enough 🙂

0 Karma

Path Finder

I downvoted this post because this 'answer' recommends visiting the question that the answer is supposedly answering. i think the poster meant to post this answer as an answer (or comment) on some other question.

0 Karma

SplunkTrust
SplunkTrust

That's this very page?

0 Karma

SplunkTrust
SplunkTrust

Depending on your specific problem, you may be able to drop the subsearch through something like this (untested, pseudosplunk):

source and whatnot, from yesterday midnight to now | chart count by EventCode date_mday | where yesterday = 0 AND today > 0

Note, you still need to figure out a way to address the columns for today and yesterday correctly.

0 Karma

Path Finder

You might want to look at subsearches.

For example, look at this search query:


source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.

So to get the opposite effect:

source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.

Do be careful with Subsearches, however, as they can severely impact system performance.

Anyway, I hope that gets you in the right direction.

View solution in original post

Communicator

Behold the power of splunk. Thank you!

0 Karma