Solved: Re: Track Useragent Change Over Time

agodoy · ‎01-31-2013

So I have two searches that return the list of useragents.

Search 1 Current Week:

host="webserver" | earliest=-1w latest=now | stats count by useragent | table useragent, count | sort - count

Search 2 Last Week:

host="webserver" | earliest=-2w latest=-1w | stats count by useragent | table useragent, count | sort - count

These will return a list of useragents for the time frames indicated. How do I display the useragent that are new from the Last Week search?

Thanks!

lguinn2 · ‎01-31-2013

Try this

host="webserver" earliest=-1w latest=now 
| stats count as ThisWeek by useragent
| join useragent type=outer [ search host="webserver" earliest=-2w latest=-1w 
    | stats count as LastWeek by useragent ]
| fillnull
| where LastWeek = 0
| sort -ThisWeek

View solution in original post

lguinn2 · ‎01-31-2013

Try this

host="webserver" earliest=-1w latest=now 
| stats count as ThisWeek by useragent
| join useragent type=outer [ search host="webserver" earliest=-2w latest=-1w 
    | stats count as LastWeek by useragent ]
| fillnull
| where LastWeek = 0
| sort -ThisWeek

agodoy · ‎02-01-2013

That worked. Thank you!

Track Useragent Change Over Time

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

Track Useragent Change Over Time

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events