Solved: Re: Track Useragent Change Over Time

agodoy · ‎01-31-2013

So I have two searches that return the list of useragents.

Search 1 Current Week:

host="webserver" | earliest=-1w latest=now | stats count by useragent | table useragent, count | sort - count

Search 2 Last Week:

host="webserver" | earliest=-2w latest=-1w | stats count by useragent | table useragent, count | sort - count

These will return a list of useragents for the time frames indicated. How do I display the useragent that are new from the Last Week search?

Thanks!

lguinn2 · ‎01-31-2013

Try this

host="webserver" earliest=-1w latest=now 
| stats count as ThisWeek by useragent
| join useragent type=outer [ search host="webserver" earliest=-2w latest=-1w 
    | stats count as LastWeek by useragent ]
| fillnull
| where LastWeek = 0
| sort -ThisWeek

View solution in original post

lguinn2 · ‎01-31-2013

Try this

host="webserver" earliest=-1w latest=now 
| stats count as ThisWeek by useragent
| join useragent type=outer [ search host="webserver" earliest=-2w latest=-1w 
    | stats count as LastWeek by useragent ]
| fillnull
| where LastWeek = 0
| sort -ThisWeek

agodoy · ‎02-01-2013

That worked. Thank you!

Track Useragent Change Over Time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation