Streamstats Question

jhayIV · ‎10-13-2017

Using this query below could you help me identify servers that were added on a daily basis? example today is friday 13th i would like to see new servers that were not on the report on the Thursday the 12th. Alternatively I would like to see servers that were removed.

query - index=#### sourcetype=#### Name="####*"|table Name _time OS LastScanDate|eval Days=round((relative_time(now(),"@d")-relative_time(LastScanDate,"@d"))/86400,0)|eval LastScanDate=strftime(LastScanDate, "%Y-%m-%d")|sort by Name _time|streamstats window=1 current=f global=f values(LastScanDate) as prev|eval John=strftime(LastScanDate, "%d")

Example

Name    _time   OS  LastScanDate    Days    prev
Sever 1 2017-10-06T23:45:48.840-0500    Windows Server 2016 9/12/2017   31  
####WCAPPW1601  2017-10-07T23:45:15.257-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-08T23:45:53.773-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-08T23:50:59.393-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-09T23:45:11.293-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-10T23:45:15.580-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-11T23:45:37.297-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WCAPPW1601  2017-10-12T23:45:55.467-0500    Windows Server 2016 9/12/2017   31  9/12/2017
####WDAPPBSO06B 2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/14/2017   29  9/12/2017
####WDAPPBSO06B 2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPBSO06B 2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/14/2017   29  9/14/2017
####WDAPPServer02A  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/14/2017
####WDAPPServer02A  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02A  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02G  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-08T23:45:53.773-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-08T23:50:59.393-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer02H  2017-10-09T23:45:11.293-0500    Windows Server 2012 R2  9/19/2017   24  9/19/2017
####WDAPPServer03B  2017-10-06T23:45:48.840-0500    Windows Server 2012 R2  9/16/2017   27  9/19/2017
####WDAPPServer03B  2017-10-07T23:45:15.257-0500    Windows Server 2012 R2  9/16/2017   27  9/16/2017

kyaparla · ‎10-14-2017

you can use earliest(_time) and latest(_time) for each host, all hosts with earliest as today are new added servers and server with latest as yesterday are removed today.

Streamstats Question

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases