Splunk Search

How to find the count of new services after excluding the history events

Woodpecker
Path Finder

Hi..

I have a query that finds the values of service_name and service_name_count by user,Account_name .. I need to search for service_name_count>5 which is flagged as |eval flag1=new, and I need to exclude the history from the search using | join type=left user,Account_name [base query... earliest=-15d and latest=-7d].. . which is flagged as |eval flag2=history

I need to search only for events | search flag1="New" NOT flag2="History" 

Apart from these I need to find
1. Total count of new services (count the new services from all the requests that have at least 5 new services

2. Count the number of requests where each request have at least 5 new services

These needs to be grouped by account_name user

Please help me with any suggestions to find the above

my sample code here:

 

index=test_index sourcetype=test_sourcetype
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| eval flag1="New", flag2="n.a." 
| join type=left Account_Name Service_Name 
    [ search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name user Account_Domain Service_Name src_ip 
    | rename src_ip as Source_IP 
    | eval flag2="History"] 
| search flag1="New" NOT flag2="History" 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP flag1 flag2

 

Thanks in advance!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=test_index sourcetype=test_sourcetype NOT [search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name Service_Name
    | dedup Account_Name Service_Name] 
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...