Solved: How to compare two fields values for two different...

faisal_saifi · ‎12-14-2016

index=nessus severity!=informational severity!=low severity!=medium earliest=-1mon@mon latest=-0mon@mon | top 0 signature | fields - count,percent | rename signature as sign1 | appendcols [search index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-1mon@mon | top 0 signature | fields - count,percent | rename signature as sign2 ] | where sign1 = sign2

using above search to count the same signature triggered for two different months. i need to compare all values of field sign1 with all values of field sign2. but sign1=sign2 is comparing only the values in same row not the full column.

somesoni2 · ‎12-14-2016

Try like this (will return signatures which are available in both time ranges).

index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-0mon@mon 
| eval timerange=if(_time>relative_time(now(),"-1mon@mon"),"timerange1","timerange2") 
| stats dc(timerange) as timerange by signature | where timerange=2

View solution in original post

somesoni2 · ‎12-14-2016

Try like this (will return signatures which are available in both time ranges).

index=nessus severity!=informational severity!=low severity!=medium earliest=-2mon@mon latest=-0mon@mon 
| eval timerange=if(_time>relative_time(now(),"-1mon@mon"),"timerange1","timerange2") 
| stats dc(timerange) as timerange by signature | where timerange=2

How to compare two fields values for two different time ranges

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!