Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find differences of a field's values between time ranges?

davespatz
Explorer
‎08-11-2014 10:19 AM

Hello,

Long story on why but I need to run a report on some squid logs based on the host name of the URL visited by the client through the squid proxy (field is url_host). I need to see any new url_host entries since a certain time period to see what changed since my last report - essentially, get me a list of new url_host's I didn't see the last time or time before that, etc. My search is below but it doesn't seem to negate the url_host field values of the inner search. The inner search is what I want to negate and anything new, give me stats on the url_host by count.

Tried two different ways - first way below returns items that are still in the inner search:

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now NOT [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host ] | fields url_host | stats count by url_host

Second way also appears to give me results that I know are in both searches:

| set diff [search sourcetype=squid earliest="7/17/2014:00:00:00" latest=now | fields url_host] [search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host] | stats count by url_host

Thanks in advance to anyone who answers.

0 Karma
Reply

davespatz
Explorer
‎08-13-2014 07:51 PM

Hey thanks for the really quick answer. I learned more about different commands with that but unfortunately it still shows results from the previous time period. I just assumed Splunk could do this easily so how - there's ALWAYS a way to do it with Splunk but this may just be easier for me to knock it out in Excel.

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2014 10:31 AM

Try this

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now 
| stats count by url_host | eval Period="current"
| append [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59"  | stats count by url_host | eval Period="past" ]
| stats values(Period) as Periods by url_host | where mvcount(Periods)=1 AND Periods="current"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...