- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare One Field over Two Times
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare One Field over Two Times
I want to see what is new for the past two weeks, that hasn't been seen in the past. The only part of the search that would change is the time frame.
earlist=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count| head 10
Gives me a table of top ten names between two and four weeks ago.
The name field updates on a weekly basis, sometimes more often. Nothing from the name field would be deleted.
I'm looking to compare the top 10 results and a complete list of what is new in the past two weeks.
I have searched through other answers, but not having any luck getting a working search.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your clarification, maybe like this:
earlist=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count| head 10 | eval type=older | append [earlist=-2w latest=-d index=int sourcetype=threat | stats count by name | sort -count| head 10 | eval type=newer] | eventstats dc(type) as numTypes by name | where numTypes=1 and type="newer"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might work:
earliest=-2w latest=-d index=int sourcetype=threat NOT [search earliest=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count | head 10 | table name ] | stats count by name | sort -count | head 10 | table name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand your question so do go back around and spell it out more clearly. Sample data would help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say I run this search, earliest=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count | head 10
Results are -
Endpoint 6434272
URL 2499463
RPC 2428255
HTTP 299502
Login 180736
enumeration 170613
SMB 167128
NetBIOS 165573
user 92934
Buffer 54541
I run the same search, just with the earlier time frame, earliest=-2w latest=-d index=int sourcetype=threat | stats count by name | sort -count | head 10
Results are -
Endpoint 7449314
SMB 2699952
URL 2489496
enumeration 503045
Options 332335
MP4 295500
Adobe 243639
NetBIOS 178598
Microsoft 139980
SIP 39992
You can see there is some overlap between the two searches and that is was I am wanting to omit. I am only wanting to see what is new when comparing the past two weeks vs an older time frame.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
