I'm newbie with Splunk and I would like to compare IP list that I get with below search:
index=com-mng-puppet host="puppetmaster*" clientip!="::1" | dedup clientip | stats count by clientip
Between different weeks, because I would like to know new IP's or the IP's weren't recorded in the logs. As I have seen there is different ways.
Using count and stat by IP, I'm not sure that's right
index=com-mng-puppet host="servername*" clientip!="::1" | dedup clientip | stats count by clientip [ search earliest=-14d@d latest=-7d@d source=com-mng-puppet | stats count by clientip | fields clientip ] | stats dc(clientip) as "New IP's this week"
What do you recommend me and can you please give any suggestion?
Thanks in advance
This search will give you new IPs in second week or IPs not recorded in second week.
Replace the searchtime modifiers accordingly
index=my_index earliest=-15m@m latest=-10m@m | dedup clientip | table clientip | append [search index=my_index earliest=-10m@m latest=-5m@m | dedup clientip | table clientip] | stats count by clientip | where count < 2
Try this using subsearch.
index=com-mng-puppet host="puppetmaster*" clientip!="::1" earliest=@w NOT [search index=com-mng-puppet host="puppetmaster*" clientip!="::1" earliest=-1w@w latest=@w | stats count by clientip | table clientip] | stats count by clientip | table clientip
This will get list of clientips from last week (in subsearch) and add the filter so that only the clientips which are not on the list will get selected and reported.
This search will give you new IPs in second week or IPs not recorded in second week.
Replace the searchtime modifiers accordingly
index=my_index earliest=-15m@m latest=-10m@m | dedup clientip | table clientip | append [search index=my_index earliest=-10m@m latest=-5m@m | dedup clientip | table clientip] | stats count by clientip | where count < 2
Thanks for your quick response.
Exactly I want to compare the IPs of this week with the IP list of the last week, with the idea that if there are new IPs send an alert with these new IPs
Thanks
What do you do exactly? Do you want to compare the IPs of this week with the ip list of the last week or the last two weeks and filter out just the new ips?