Splunk Search

How do I find events that appear today that did not appear yesterday?

bigtyma
Communicator

I am trying to identify events that occur in events collected today that did not happen yesterday, I looked at the delta and diff command but I think I am missing something. I understand this is question is somewhat vague however hopefully someone can point me in the right direction.
Thank you,

Tags (5)
1 Solution

jlanders
Path Finder

You might want to look at subsearches.

For example, look at this search query:


source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.

So to get the opposite effect:

source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.

Do be careful with Subsearches, however, as they can severely impact system performance.

Anyway, I hope that gets you in the right direction.

View solution in original post

gault00
New Member

Another possible approach that doesn't require a subsearch. Use if to set a variable to 1 if the time is within the last day and 0 if it is older. Sum the variable to get a count of events that happened in the last 24 hours and count all the events. If all of the events are new (AllCount=NewCount), then the event has only happened in the last 24 hours.

Example:
table _time host Code |
eval cutOffTime=relative_time(now(),"-24h"), New=if (_time>cutOffTime,1,0) |
stats sum(New) as NewCount count as AllCount by host Code |
where AllCount = NewCount

0 Karma

stoomart
Explorer

I use dedup instead of subsearches to identify New (over 'All time' range) or Infrequent (over 'Last X days' range) event types, for example:

sourcetype=WinEventLog* | dedup host, LogName, SourceName, EventCode sortby +_time | eval epochevent=_time | eval epochwindow=relative_time(now(), "-1d" ) | where epochevent>=epochwindow | table host, LogName, SourceName, EventCode, Message, _time

Change "-1d" in the search to narrow or broaden the differential range and schedule your alert to the same frequency.

0 Karma

bigtyma
Communicator
0 Karma

khubyarb
Path Finder

I downvoted this post because answer just links back to the question..

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I think three identical comments 2.5 years later is enough 🙂

0 Karma

ben363
Path Finder

I downvoted this post because this 'answer' recommends visiting the question that the answer is supposedly answering. i think the poster meant to post this answer as an answer (or comment) on some other question.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's this very page?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Depending on your specific problem, you may be able to drop the subsearch through something like this (untested, pseudosplunk):

source and whatnot, from yesterday midnight to now | chart count by EventCode date_mday | where yesterday = 0 AND today > 0

Note, you still need to figure out a way to address the columns for today and yesterday correctly.

0 Karma

jlanders
Path Finder

You might want to look at subsearches.

For example, look at this search query:


source=WinEventLog:System ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This would return a table of EventCodes and Event Counts for each where the EventCode of an event in my given search frame equals one of the EventCodes discovered in the subsearch.

So to get the opposite effect:

source=WinEventLog:System NOT ([| search source=WinEventLog:System earliest=-6h latest=-3h | table EventCode]) | stats count by EventCode

This, in theory, should return any event that occurred during my specified time frame with an EventCode that was not returned by the subsearch.

Do be careful with Subsearches, however, as they can severely impact system performance.

Anyway, I hope that gets you in the right direction.

bigtyma
Communicator

Behold the power of splunk. Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...