- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare IP list from the same search between diffe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm newbie with Splunk and I would like to compare IP list that I get with below search:
index=com-mng-puppet host="puppetmaster*" clientip!="::1" | dedup clientip | stats count by clientip
Between different weeks, because I would like to know new IP's or the IP's weren't recorded in the logs. As I have seen there is different ways.
- Exporting to csv and using set diff, however I don't know how I can do it. I know export to csv, but how would I compare?
Using count and stat by IP, I'm not sure that's right
index=com-mng-puppet host="servername*" clientip!="::1" | dedup clientip | stats count by clientip [ search earliest=-14d@d latest=-7d@d source=com-mng-puppet | stats count by clientip | fields clientip ] | stats dc(clientip) as "New IP's this week"
What do you recommend me and can you please give any suggestion?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search will give you new IPs in second week or IPs not recorded in second week.
Replace the searchtime modifiers accordingly
index=my_index earliest=-15m@m latest=-10m@m | dedup clientip | table clientip | append [search index=my_index earliest=-10m@m latest=-5m@m | dedup clientip | table clientip] | stats count by clientip | where count < 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this using subsearch.
index=com-mng-puppet host="puppetmaster*" clientip!="::1" earliest=@w NOT [search index=com-mng-puppet host="puppetmaster*" clientip!="::1" earliest=-1w@w latest=@w | stats count by clientip | table clientip] | stats count by clientip | table clientip
This will get list of clientips from last week (in subsearch) and add the filter so that only the clientips which are not on the list will get selected and reported.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search will give you new IPs in second week or IPs not recorded in second week.
Replace the searchtime modifiers accordingly
index=my_index earliest=-15m@m latest=-10m@m | dedup clientip | table clientip | append [search index=my_index earliest=-10m@m latest=-5m@m | dedup clientip | table clientip] | stats count by clientip | where count < 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick response.
Exactly I want to compare the IPs of this week with the IP list of the last week, with the idea that if there are new IPs send an alert with these new IPs
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you do exactly? Do you want to compare the IPs of this week with the ip list of the last week or the last two weeks and filter out just the new ips?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
