Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the count of new services after excluding the history events

Woodpecker
Path Finder
‎08-13-2023 11:26 PM

Hi..

I have a query that finds the values of service_name and service_name_count by user,Account_name .. I need to search for service_name_count>5 which is flagged as |eval flag1=new, and I need to exclude the history from the search using | join type=left user,Account_name [base query... earliest=-15d and latest=-7d].. . which is flagged as |eval flag2=history

I need to search only for events | search flag1="New" NOT flag2="History" 

Apart from these I need to find
1. Total count of new services (count the new services from all the requests that have at least 5 new services

2. Count the number of requests where each request have at least 5 new services

These needs to be grouped by account_name user

Please help me with any suggestions to find the above

my sample code here:

 

index=test_index sourcetype=test_sourcetype
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| eval flag1="New", flag2="n.a." 
| join type=left Account_Name Service_Name 
    [ search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name user Account_Domain Service_Name src_ip 
    | rename src_ip as Source_IP 
    | eval flag2="History"] 
| search flag1="New" NOT flag2="History" 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP flag1 flag2

 

Thanks in advance!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 12:58 AM

Try something like this

index=test_index sourcetype=test_sourcetype NOT [search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d 
    | fields Account_Name Service_Name
    | dedup Account_Name Service_Name] 
| fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype 
| stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user 
| convert ctime(earliest) ctime(latest)
| search Service_Name_Count > 5 
| table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...