Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL query help

KulvinderSingh
Path Finder
‎06-19-2024 04:12 AM

Hi All,

Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still installed on same Path on the same machine else not found.

 

so far I have created a kvstore lookup to store the data but cannot come up with logic to compare the data

I have added sample data below. All help is appreciated.

 

HostNameExeVersion Path ProductName RunDate sourcetype
xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\f\notepad.exe null 2024-06-13 07:41:37 feed
xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\r\notepad.exe null 2024-06-14 07:41:37 feed

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2024 04:44 AM

Assuming you have a way to uniquely identify your events, you could try something like this:

  • Read current data
  • Set a field to 1
  • Append previous data (setting field to 2)
  • Sum the field by unique id

Where sum is 3, the id exists in both data sets; where it is 2, it exists previous data set, where is 1 it only exists in current data set.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...