I have a user that is asking me to look at the file hashes of every file that some into splunk across today and yesterday. I can compare one just fine: index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" | rename FileHash as "todays_hash" | append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00" | rename FileHash as "yesterdays_hash"] | stats values(*) as * by FileName | eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") | table FileName description todays_hash yesterdays_hash This makes a table showing the 2 hashes and a message telling me if the hash had changed or not. Now is there a way to run this through foreach or something that can do that for the whole list of file names. Something like: index=my_index RuleName="Rule_name" | stats values | foreach FieldName | append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00" | rename FileHash as "yesterdays_hash"] | stats values(*) as * by FileName | eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") | table FileName description todays_hash yesterdays_hash
... View more