Splunk Search

compare results in different days

stevesmith08
Explorer

Good day! I have two requests for different dates. I need to compare the results of the queries.

The following comparison command works correctly:
| set diff
[search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state]
[search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state]

But I need to add a field “date” to each result.

In the end, I want to track changes in the status of ports for different scan dates.

Could you help me, please?

Thanks

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @stevesmith08,

You can use something like that if you want to add the date field :

sourcetype=“scan_results” date=“2019-05-27”  OR date=“2019-05-28”  
| stats dc(date) as condition values(date) as date by host, port, state 
| where condition <2

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @stevesmith08,

You can use something like that if you want to add the date field :

sourcetype=“scan_results” date=“2019-05-27”  OR date=“2019-05-28”  
| stats dc(date) as condition values(date) as date by host, port, state 
| where condition <2

Cheers,
David

stevesmith08
Explorer

Thanks! it works correctly

0 Karma

DavidHourani
Super Champion

you're welcome !

0 Karma

koshyk
Super Champion

hi Steve
You already have got the "date" field in the event. You could add it straight away or am i not understanding the issue correctly?

| set diff
[search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state, date]
[search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state, date]

.

0 Karma

stevesmith08
Explorer

If you explicitly specify the date in each subquery, the results they return differ in this field.

I need to compare only fields “host”, “port”, “state”

0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...