Search that Compares Historical Data, then Generat...

Splunk Search

Hey all,

I'm trying to build a search where the system takes a look at whether or not two fields match across multiple events, and if they do, perform a historical comparison of another field's value, and if those two values mismatch, give me some way of figuring out if they do. IE a "1" value in a new field, or removing the event from the report I'm generating. Basically, a breakdown is as follows:

If across multiple events, value A & value B = value A & value B, then compare whether or not value C has the same value it did in the last 96 hours. If it does NOT, either a) remove the event from the report, or b) generate a TRUE/FALSE, or maybe a "1" in a new column to be output onto a table.

Hope this makes sense. Anyone that can help would be a huge help, as this would reduce workload massively.

Thanks,

Get Updates on the Splunk Community!

Search that Compares Historical Data, then Generates a Value to say if Data Matched or Not,Compare Historical Data and Report if Two Values Don't Match

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation