Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to build query that Only shows new data compared to yesterday

winter0827
Engager
‎06-06-2022 09:47 PM

Hi all, I am trying to build a query that only shows the NEW results compared to yesterday.

I would like to get some alert and data to show ONLY if the message/key is new today, compared to the results yesterday.

for example: 

 

{query}
| stats count by key

 

Yesterday, the query returned - "key1", and "key2".

| key    | count |

| key1 | 10       |

| key2 | 5        |

Today, there are some results returned - "key1", and "key3". I would like to get the count of "key3" only as it is new today and didn't show up yesterday.

| key    | count |

| key3 | 15       |

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2022 10:25 PM 
{query}
| stats count values(date) as date by key
| where mvcount(date) = 1 AND date = today

Obviously, you will need to adjust for your real data and field names

View solution in original post

0 Karma
Reply
Solved! Jump to solution

marysan
Communicator
‎06-14-2022 01:26 AM

Assuming there is no "date" field in your log, first line, day field recognizes your day(today or yesterday or 2 days ago ...) , then second line specifies distinct days and count by each key and finally query shows unique keys related to today(day=1)
| eval day=round((now()-time)/86400,0)
| stats count,dc(day) as day_count by key
| where day_count =1 AND day=1 AND count=1

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2022 10:25 PM 
{query}
| stats count values(date) as date by key
| where mvcount(date) = 1 AND date = today

Obviously, you will need to adjust for your real data and field names

0 Karma
Reply
Solved! Jump to solution

winter0827
Engager
‎06-13-2022 03:47 PM

Thanks, that solves my problem.

A follow up: how can I compare the values in last 2 weeks and only show the new ones in this week?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 10:23 PM

Please clarify what you are trying to do - is it just a matter of setting the timeframe and using a span of 1 week instead of 1 day?

0 Karma
Reply
Solved! Jump to solution

winter0827
Engager
‎06-14-2022 01:10 AM

firstly, I would like to compare day to day data. And list the count by key.

and then I want to expand the timeframe and compare the week by week, month by month data. 

for both cases above, I want to know which values are NEW in last day/week/month.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2022 01:18 AM

Bucket the time by the appropriate span and compare against the current bucket. Something like this

{query}
| bin _time as date span=1w
| eval today=relative_time(now(),"@w")
| stats count values(date) as date by key
| where mvcount(date) = 1 AND date = today
{query}
| bin _time as date span=1mon
| eval today=relative_time(now(),"@mon")
| stats count values(date) as date by key
| where mvcount(date) = 1 AND date = today

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...