SPL query help

KulvinderSingh · ‎06-19-2024

Hi All,

Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still installed on same Path on the same machine else not found.

so far I have created a kvstore lookup to store the data but cannot come up with logic to compare the data

I have added sample data below. All help is appreciated.

HostNameExeVersion Path ProductName RunDate sourcetype
xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\f\notepad.exe null 2024-06-13 07:41:37 feed
xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\r\notepad.exe null 2024-06-14 07:41:37 feed

ITWhisperer · ‎06-19-2024

Assuming you have a way to uniquely identify your events, you could try something like this:

Read current data
Set a field to 1
Append previous data (setting field to 2)
Sum the field by unique id

Where sum is 3, the id exists in both data sets; where it is 2, it exists previous data set, where is 1 it only exists in current data set.

SPL query help

subsearch

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

SPL query help

subsearch

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI