Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Listing a field where another specified field has changed?

a2368026
New Member
‎06-27-2017 03:44 AM

Hello Splunk Answers!

Excuse the rookie question. I have a splunk instance that is consuming data with events that look like this..

date, domain_accessed, user_visiting_domain, domain_category

I want to create a search where I compare the 'domain_category' on the current day to the same field over a specific period!

For instance I want the search to list domains that are currently categorised as 'storage' and then search over the previous months for the same domain but only show those which have NOT been previously categorised as 'storage'..

I.e I want to identify all 'domains_accessed' where the category has changed from '---' to 'storage' in a given period of time?

Any help gratefully received!

a2368026

Tags (1)
0 Karma
Reply

maciep
Champion
‎07-01-2017 06:29 AM

There are probably a bunch of ways to do this. You could use a subsearch to find all of the domains_accessed that were not storage and add those to filter your main search for current storage categories.

Or you could probably use join to combine results from todays data with last months data on the domains_accessed field - similar to a sql join.

But typically, if you can avoid subsearches and joins, then you probably should. And so I think you can get away with stats here.

index=some_access_logs 
| stats latest(domain_category) as current_category, earliest(domain_category) as first_category by domain_accessed 
| where current_category="Storage" AND first_category!="Storage"

So if you run that over a few months, it should provide you the domains_accessed that was not storage at the beginning of the period but is now. It won't tell you when it switched, not sure if that's needed? I know you say never previously Storage...but not sure when "previously" starts? If it matters when exactly it became storage, that's probably doable with stats too.

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...