Splunk Search

How to compare most recent results with previous search results?

vinchakov_a
Path Finder

Open ports are check every 5 minutes.

index=os sourcetype=openPorts host=myhost earliest = -5m@m

udp      123
udp     1514
udp     1506
udp     1505
udp     1504
udp     1503
udp     1502
udp     1501
udp      514
udp      123
udp      123
udp      123
udp      631
tcp     8000
tcp     8089
tcp       22
tcp     9997

Is it possible to compare the most recent values with the previous results?

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Something like this

|set diff [search index=os sourcetype=openPorts host=myhost earliest = -5m@m][index=os sourcetype=openPorts host=myhost earliest = -10m@m latest=-5m@m]

Add "|table <>" to both the subsearches to better results.
There could be more better approach to this but you need to provide more details on the data, comparison you want to do to arrive on one.

View solution in original post

vinchakov_a
Path Finder

It's work:

| set diff [ | search index=os sourcetype=openPorts host=host1 earliest = -5m@m | dedup Port | table Port][ | search index=os sourcetype=openPorts host=host2 earliest = -10m@m latest=-6m@m | dedup Port | table Port]

And I recieve: No results found.

The following step a cycle of all hosts. It is real? I don't want to write alert on each host separately.

0 Karma

somesoni2
Revered Legend

Something like this

|set diff [search index=os sourcetype=openPorts host=myhost earliest = -5m@m][index=os sourcetype=openPorts host=myhost earliest = -10m@m latest=-5m@m]

Add "|table <>" to both the subsearches to better results.
There could be more better approach to this but you need to provide more details on the data, comparison you want to do to arrive on one.

vinchakov_a
Path Finder

Thank you!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...