differences in multi-valued field over time

andreas_roth · ‎03-31-2015

Hi all,

I'm getting events like this:

time=11111 file=aaaa
time=11111 file=bbbb
time=11111 file=cccc
time=11111 file=dddd

time=22222 file=aaaa
time=22222 file=bbbb
time=22222 file=cccc
time=22222 file=dddd
time=22222 file=eeee

time=33333 file=aaaa
time=33333 file=bbbb
time=33333 file=cccc
time=33333 file=dddd
time=33333 file=ffff

...

time=99999 file=aaaa
time=99999 file=bbbb

now i want to determine the changes of the field "file" over time. I was trying to create transactions and using diff ... but this leads nowhere... 😞

Thanks for your help in advance,

Andreas

stephane_cyrill · ‎03-31-2015

Hi Andreas.rth,
I thin what you can do is:
1- you first extract the field name file either with a regex or by IFX

2- you can do this when you have you field value:

...........|stats first(file) AS new_value|eval change=if(values(file)!=new_value, "yes","NO")|table new_value change

3-you can decide on which time range to run the search

stephane_cyrill · ‎03-31-2015

Do you know in advance all the values of the field file?

andreas_roth · ‎03-31-2015

nope... so there is a script, crawling a directory from time to time. I need to find out which files were created or deleted.

Are you a member of the Splunk Community?