Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find differences of a field's values between time ranges?

davespatz
Explorer
‎08-11-2014 10:19 AM

Hello,

Long story on why but I need to run a report on some squid logs based on the host name of the URL visited by the client through the squid proxy (field is url_host). I need to see any new url_host entries since a certain time period to see what changed since my last report - essentially, get me a list of new url_host's I didn't see the last time or time before that, etc. My search is below but it doesn't seem to negate the url_host field values of the inner search. The inner search is what I want to negate and anything new, give me stats on the url_host by count.

Tried two different ways - first way below returns items that are still in the inner search:

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now NOT [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host ] | fields url_host | stats count by url_host

Second way also appears to give me results that I know are in both searches:

| set diff [search sourcetype=squid earliest="7/17/2014:00:00:00" latest=now | fields url_host] [search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59" | fields url_host] | stats count by url_host

Thanks in advance to anyone who answers.

0 Karma
Reply

davespatz
Explorer
‎08-13-2014 07:51 PM

Hey thanks for the really quick answer. I learned more about different commands with that but unfortunately it still shows results from the previous time period. I just assumed Splunk could do this easily so how - there's ALWAYS a way to do it with Splunk but this may just be easier for me to knock it out in Excel.

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2014 10:31 AM

Try this

sourcetype=squid earliest="7/17/2014:00:00:00" latest=now 
| stats count by url_host | eval Period="current"
| append [ search sourcetype=squid earliest="6/18/2014:00:00:00" latest="7/16/2014:23:59:59"  | stats count by url_host | eval Period="past" ]
| stats values(Period) as Periods by url_host | where mvcount(Periods)=1 AND Periods="current"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...