Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find differences of a field's values betwee...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find differences of a field's values between time ranges?
Hello,
Long story on why but I need to run a report on some squid logs based on the host name of the URL visited by the client through the squid proxy (field is url_host). I need to see any new url_host entries since a certain time period to see what changed since my last report - essentially, get me a list of new url_host's I didn't see the last time or time before that, etc. My search is below but it doesn't seem to negate the url_host field values of the inner search. The inner search is what I want to negate and anything new, give me stats on the url_host by count.
Tried two different ways - first way below returns items that are still in the inner search:
sourcetype=squid earliest="7/17/2014:00:00:00" latest=now NOT [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host ] | fields url_host | stats count by url_host
Second way also appears to give me results that I know are in both searches:
| set diff [search sourcetype=squid earliest="7/17/2014:00:00:00" latest=now | fields url_host] [search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host] | stats count by url_host
Thanks in advance to anyone who answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey thanks for the really quick answer. I learned more about different commands with that but unfortunately it still shows results from the previous time period. I just assumed Splunk could do this easily so how - there's ALWAYS a way to do it with Splunk but this may just be easier for me to knock it out in Excel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
sourcetype=squid earliest="7/17/2014:00:00:00" latest=now
| stats count by url_host | eval Period="current"
| append [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | stats count by url_host | eval Period="past" ]
| stats values(Period) as Periods by url_host | where mvcount(Periods)=1 AND Periods="current"
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
