- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count number of occurrences made of a "set ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am challenging myself to solve a problem which came up last week.
The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame.
I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table.
| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip
Above query works till the end of "set diff". Where everything is screwed up is on the search.
I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful.
Regards,
Evang
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (assuming, for searching in the longer period, the source remains the same)
source=*Host_Enumeration* earliest=-30d latest=now [| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ]]
| stats count(dest_ip) by dest_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (assuming, for searching in the longer period, the source remains the same)
source=*Host_Enumeration* earliest=-30d latest=now [| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ]]
| stats count(dest_ip) by dest_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much somesoni2.
That worked perfectly!
Regards,
Evang
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
