Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare new and existing data

mbasharat
Contributor
‎03-21-2022 09:00 AM

Hi,

I have a field name VULN in index=ABC sourcetype=XYZ.

We need to know, if new VULN show up in 48hrs of data compared to 1 month ago. Basically, we need to see how many new VULNs are in data compared to last month and how many unique IPs are affected. 

Thanks in-advance!!!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎03-21-2022 11:46 PM

Hi @mbasharat,

sorry there was a mistyping, please try this:

index=ABC sourcetype=XYZ VULN=* earliest=-mon latest=now
| eval period=if(now()-_time>3600*48,"Before","Last_48_hours")
| stats dc(period) AS dc_period values(period) AS period BY VULN
| where dc_period=1 AND period="Last_48_hours"
| table VULN

There was a wrong less char "-".

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎03-21-2022 09:27 AM

Hi @mbasharat,

you could try something like this:

index=ABC sourcetype=XYZ VULN=* earliest=-mon latest=now
| eval period=if(now()-_time>-3600*48,"Before","Last_48_hours")
| stats dc(period) AS dc_period values(period) AS period BY VULN
| where dc_period=1 AND period="Last_48_hours"
| table VULN

In this way you'll have the VULNs present in the last 48 hours but not in the last month.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mbasharat
Contributor
‎03-21-2022 09:59 AM

Hi @gcusello 

 

I tried and I am getting no results for this. Then I removed Last_48_hrs and everything is falling under "Before"

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎03-21-2022 11:46 PM

Hi @mbasharat,

sorry there was a mistyping, please try this:

index=ABC sourcetype=XYZ VULN=* earliest=-mon latest=now
| eval period=if(now()-_time>3600*48,"Before","Last_48_hours")
| stats dc(period) AS dc_period values(period) AS period BY VULN
| where dc_period=1 AND period="Last_48_hours"
| table VULN

There was a wrong less char "-".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎04-05-2022 11:22 PM

Hi @mbasharat,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...