Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the count of new services after excluding the history events

Woodpecker
Path Finder
‎08-13-2023 11:26 PM

Hi..

I have a query that finds the values of service_name and service_name_count by user,Account_name .. I need to search for service_name_count>5 which is flagged as |eval flag1=new, and I need to exclude the history from the search using | join type=left user,Account_name [base query... earliest=-15d and latest=-7d].. . which is flagged as |eval flag2=history

I need to search only for events | search flag1="New" NOT flag2="History" 

Apart from these I need to find
1. Total count of new services (count the new services from all the requests that have at least 5 new services

2. Count the number of requests where each request have at least 5 new services

These needs to be grouped by account_name user

Please help me with any suggestions to find the above

my sample code here:

 

index=test_index sourcetype=test_sourcetype
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| eval flag1="New", flag2="n.a." 
| join type=left Account_Name Service_Name 
    [ search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name user Account_Domain Service_Name src_ip 
    | rename src_ip as Source_IP 
    | eval flag2="History"] 
| search flag1="New" NOT flag2="History" 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP flag1 flag2

 

Thanks in advance!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 12:58 AM

Try something like this

index=test_index sourcetype=test_sourcetype NOT [search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name Service_Name
    | dedup Account_Name Service_Name] 
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...