Solved: How to compare two fields values for two different...

faisal_saifi · ‎12-14-2016

index=nessus severity!=informational severity!=low severity!=medium earliest=-1mon@mon latest=-0mon@mon | top 0 signature | fields - count,percent | rename signature as sign1 | appendcols [search index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-1mon@mon | top 0 signature | fields - count,percent | rename signature as sign2 ] | where sign1 = sign2

using above search to count the same signature triggered for two different months. i need to compare all values of field sign1 with all values of field sign2. but sign1=sign2 is comparing only the values in same row not the full column.

somesoni2 · ‎12-14-2016

Try like this (will return signatures which are available in both time ranges).

index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-0mon@mon 
| eval timerange=if(_time>relative_time(now(),"-1mon@mon"),"timerange1","timerange2") 
| stats dc(timerange) as timerange by signature | where timerange=2

View solution in original post

somesoni2 · ‎12-14-2016

Try like this (will return signatures which are available in both time ranges).

index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-0mon@mon 
| eval timerange=if(_time>relative_time(now(),"-1mon@mon"),"timerange1","timerange2") 
| stats dc(timerange) as timerange by signature | where timerange=2

How to compare two fields values for two different time ranges

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How to compare two fields values for two different time ranges

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability