I am trying to identify events that occur in events collected today that did not happen yesterday, I looked at the delta and diff command but I think I am missing something. I understand this is question is somewhat vague however hopefully someone can point me in the right direction.
Thank you,
You might want to look at subsearches.
For example, look at this search query:
source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode
This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.
So to get the opposite effect:
source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode
This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.
Do be careful with Subsearches, however, as they can severely impact system performance.
Anyway, I hope that gets you in the right direction.
Another possible approach that doesn't require a subsearch. Use if to set a variable to 1 if the time is within the last day and 0 if it is older. Sum the variable to get a count of events that happened in the last 24 hours and count all the events. If all of the events are new (AllCount=NewCount), then the event has only happened in the last 24 hours.
Example:
table _time host Code |
eval cutOffTime=relative_time(now(),"-24h"), New=if (_time>cutOffTime,1,0) |
stats sum(New) as NewCount count as AllCount by host Code |
where AllCount = NewCount
I use dedup instead of subsearches to identify New (over 'All time' range) or Infrequent (over 'Last X days' range) event types, for example:
sourcetype=WinEventLog* | dedup host, LogName, SourceName, EventCode sortby +_time | eval epochevent=_time | eval epochwindow=relative_time(now(), "-1d" ) | where epochevent>=epochwindow | table host, LogName, SourceName, EventCode, Message, _time
Change "-1d" in the search to narrow or broaden the differential range and schedule your alert to the same frequency.
I think I found what I was looking for here
I downvoted this post because answer just links back to the question..
I think three identical comments 2.5 years later is enough 🙂
I downvoted this post because this 'answer' recommends visiting the question that the answer is supposedly answering. i think the poster meant to post this answer as an answer (or comment) on some other question.
That's this very page?
Depending on your specific problem, you may be able to drop the subsearch through something like this (untested, pseudosplunk):
source and whatnot, from yesterday midnight to now | chart count by EventCode date_mday | where yesterday = 0 AND today > 0
Note, you still need to figure out a way to address the columns for today and yesterday correctly.
You might want to look at subsearches.
For example, look at this search query:
source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode
This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.
So to get the opposite effect:
source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode
This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.
Do be careful with Subsearches, however, as they can severely impact system performance.
Anyway, I hope that gets you in the right direction.
Behold the power of splunk. Thank you!