Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get change events only?

eranhauser
Path Finder
‎09-27-2023 02:08 PM

I  have events with the following keys: key1, key2 & key3.

I would like to get the change events i.e. events that their key1, key2 & key3 values are not in the events of previous day. 

What should the query look like?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2023 03:05 PM

What data is the correlation between the same event - please give an example of the data you may see and what you would expect.

For example, if you have an event yesterday with 

key1=A, key2=B,key3=C

and an event today with

key1=A, key2=B,key3=D

what do you want to show? If you have lots of events with different fields, is there some common object that connects those events to today's events?

0 Karma
Reply

eranhauser
Path Finder
‎09-27-2023 03:50 PM

a change event is considered if any combination of key1, key2 & key3 is new. In your example key1=A, key2=B,key3=D will be considered as a new event.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2023 03:58 PM

then something like

index=your_index earliest=-1d@d latest=now()
``` Collect all combinations of key 1, 2 and 3 by day ```
| bin _time span=1d
| stats count by _time key1 key2 key3
``` Count the number of days these key combinations occur ```
| stats dc(_time) as times list(_time) as days by key1 key2 key3
``` and then if there is only 1 variant and it is today, it's a new type ```
| where times=1 AND days=relative_time(now(), "@d")
0 Karma
Reply

eranhauser
Path Finder
‎09-27-2023 06:25 PM

There should be something similar to SQL in splunk like right outer joint no? 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-28-2023 05:19 PM

There is a join command, but it is NOT the first, second or third choice for a Splunk solution - you can and should always use stats to join data. join has limitations, requires a second search to do the join data.

This stats command is effectively calculating all the similar triplets by time and where there are two times (e.g. 2 days) you have a non-change event, so discard it.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...