Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Listing a field where another specified field has changed?

a2368026
New Member
‎06-27-2017 03:44 AM

Hello Splunk Answers!

Excuse the rookie question. I have a splunk instance that is consuming data with events that look like this..

date, domain_accessed, user_visiting_domain, domain_category

I want to create a search where I compare the 'domain_category' on the current day to the same field over a specific period!

For instance I want the search to list domains that are currently categorised as 'storage' and then search over the previous months for the same domain but only show those which have NOT been previously categorised as 'storage'..

I.e I want to identify all 'domains_accessed' where the category has changed from '---' to 'storage' in a given period of time?

Any help gratefully received!

a2368026

Tags (1)
0 Karma
Reply

maciep
Champion
‎07-01-2017 06:29 AM

There are probably a bunch of ways to do this. You could use a subsearch to find all of the domains_accessed that were not storage and add those to filter your main search for current storage categories.

Or you could probably use join to combine results from todays data with last months data on the domains_accessed field - similar to a sql join.

But typically, if you can avoid subsearches and joins, then you probably should. And so I think you can get away with stats here.

index=some_access_logs 
| stats latest(domain_category) as current_category, earliest(domain_category) as first_category by domain_accessed 
| where current_category="Storage" AND first_category!="Storage"

So if you run that over a few months, it should provide you the domains_accessed that was not storage at the beginning of the period but is now. It won't tell you when it switched, not sure if that's needed? I know you say never previously Storage...but not sure when "previously" starts? If it matters when exactly it became storage, that's probably doable with stats too.

Hope this helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...