Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find differences of a field's values between time ranges?

davespatz
Explorer
‎08-11-2014 10:19 AM

Hello,

Long story on why but I need to run a report on some squid logs based on the host name of the URL visited by the client through the squid proxy (field is url_host). I need to see any new url_host entries since a certain time period to see what changed since my last report - essentially, get me a list of new url_host's I didn't see the last time or time before that, etc. My search is below but it doesn't seem to negate the url_host field values of the inner search. The inner search is what I want to negate and anything new, give me stats on the url_host by count.

Tried two different ways - first way below returns items that are still in the inner search:

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now NOT [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host ] | fields url_host | stats count by url_host

Second way also appears to give me results that I know are in both searches:

| set diff [search sourcetype=squid earliest="7/17/2014:00:00:00" latest=now | fields url_host] [search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host] | stats count by url_host

Thanks in advance to anyone who answers.

0 Karma
Reply

davespatz
Explorer
‎08-13-2014 07:51 PM

Hey thanks for the really quick answer. I learned more about different commands with that but unfortunately it still shows results from the previous time period. I just assumed Splunk could do this easily so how - there's ALWAYS a way to do it with Splunk but this may just be easier for me to knock it out in Excel.

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2014 10:31 AM

Try this

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now 
| stats count by url_host | eval Period="current"
| append [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59"  | stats count by url_host | eval Period="past" ]
| stats values(Period) as Periods by url_host | where mvcount(Periods)=1 AND Periods="current"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...