Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count number of occurrences made of a "set diff" command, using a different time range

evang_26
Communicator
‎08-27-2014 02:16 AM

Hi,

I am challenging myself to solve a problem which came up last week.

The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame.

I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table.

| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip

Above query works till the end of "set diff". Where everything is screwed up is on the search.

I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful.

Regards,
Evang

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip
Reply
Solved! Jump to solution

evang_26
Communicator
‎09-01-2014 05:17 AM

Thank you very much somesoni2.

That worked perfectly!

Regards,
Evang

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...