Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count number of occurrences made of a "set diff" command, using a different time range

evang_26
Communicator
‎08-27-2014 02:16 AM

Hi,

I am challenging myself to solve a problem which came up last week.

The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame.

I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table.

| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip

Above query works till the end of "set diff". Where everything is screwed up is on the search.

I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful.

Regards,
Evang

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip
Reply
Solved! Jump to solution

evang_26
Communicator
‎09-01-2014 05:17 AM

Thank you very much somesoni2.

That worked perfectly!

Regards,
Evang

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...