Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search that Compares Historical Data, then Generates a Value to say if Data Matched or Not,Compare Historical Data and Report if Two Values Don't Match

rileylsmith1997
New Member
‎03-18-2019 03:35 PM

Hey all,

I'm trying to build a search where the system takes a look at whether or not two fields match across multiple events, and if they do, perform a historical comparison of another field's value, and if those two values mismatch, give me some way of figuring out if they do. IE a "1" value in a new field, or removing the event from the report I'm generating. Basically, a breakdown is as follows:

If across multiple events, value A & value B = value A & value B, then compare whether or not value C has the same value it did in the last 96 hours. If it does NOT, either a) remove the event from the report, or b) generate a TRUE/FALSE, or maybe a "1" in a new column to be output onto a table.

Hope this makes sense. Anyone that can help would be a huge help, as this would reduce workload massively.

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...