Streamstats Question

jhayIV · ‎10-13-2017

Using this query below could you help me identify servers that were added on a daily basis? example today is friday 13th i would like to see new servers that were not on the report on the Thursday the 12th. Alternatively I would like to see servers that were removed.

query - index=#### sourcetype=#### Name="####*"|table Name _time OS LastScanDate|eval Days=round((relative_time(now(),"@d")-relative_time(LastScanDate,"@d"))/86400,0)|eval LastScanDate=strftime(LastScanDate, "%Y-%m-%d")|sort by Name _time|streamstats window=1 current=f global=f values(LastScanDate) as prev|eval John=strftime(LastScanDate, "%d")

Example

Name    _time   OS  LastScanDate    Days    prev
Sever 1 2017-10-06T23:45:48.840-0500    Windows Server 2016 9/12/2017   31  
####WCAPPW1601  2017-10-07T23:45:15.257-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-08T23:45:53.773-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-08T23:50:59.393-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-09T23:45:11.293-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-10T23:45:15.580-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-11T23:45:37.297-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-12T23:45:55.467-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WDAPPBSO06B 2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/14/2017   29  9/12/2017
####WDAPPBSO06B 2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPServer02A  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/14/2017
####WDAPPServer02A  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer03B  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/16/2017   27  9/19/2017
####WDAPPServer03B  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/16/2017   27  9/16/2017

kyaparla · ‎10-14-2017

you can use earliest(_time) and latest(_time) for each host, all hosts with earliest as today are new added servers and server with latest as yesterday are removed today.

Streamstats Question

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life