Splunk Search

Search that Compares Historical Data, then Generates a Value to say if Data Matched or Not,Compare Historical Data and Report if Two Values Don't Match

rileylsmith1997
New Member

Hey all,

I'm trying to build a search where the system takes a look at whether or not two fields match across multiple events, and if they do, perform a historical comparison of another field's value, and if those two values mismatch, give me some way of figuring out if they do. IE a "1" value in a new field, or removing the event from the report I'm generating. Basically, a breakdown is as follows:

If across multiple events, value A & value B = value A & value B, then compare whether or not value C has the same value it did in the last 96 hours. If it does NOT, either a) remove the event from the report, or b) generate a TRUE/FALSE, or maybe a "1" in a new column to be output onto a table.

Hope this makes sense. Anyone that can help would be a huge help, as this would reduce workload massively.

Thanks,

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...