I'm looking for a way to alert or report when new data shows up in Splunk. For example, when a new device starts sending data to Splunk, or when a new incoming IP address shows up in my firewall logs.
I suppose I'd need to search for what did exist, what exists now, and then compare the two lists... but I'm not quite sure how to get that done. (And... how to optimize it-- probably using summary indexes??) I can build searches easily enough that show what did exist and what exists now for various things (hosts, IP addresses, etc.) but I'm not sure how to compare the two lists. Any guidance?
(I tried using a subsearch, but I got an error message about a 10,000 result limit on subsearches. When I tried to limit the subsearch to just unique IP address combinations using stats or uniq, the search crashed.)
... View more