Solved: comparing results from 2 days

michal_centralw · ‎06-11-2014

Hi,

Is there a way to compare results of number of hosts reporting from 2 different days and show only the one which are different?
I tried the following search

unix_category="WEB PROD" earliest=-0d@d latest=now | dedup host| table host | sort by host | append [search unix_category="WEB PROD" earliest=-1d@d latest=-0d@d]

But that was only showing me all the hosts, not the difference.

somesoni2 · ‎06-11-2014

Try this

| set diff [search unix_category="WEB PROD" earliest=-0d@d latest=now | stats count by host | fields - count] [search unix_category="WEB PROD" earliest=-1d@d latest=@d| stats count by host | fields - count]

OR

unix_category="WEB PROD" earliest=-2d@d latest=now | stats values(date_mday) as Days by host | where mvcount(Days)=1

View solution in original post

somesoni2 · ‎06-11-2014

Try this

| set diff [search unix_category="WEB PROD" earliest=-0d@d latest=now | stats count by host | fields - count] [search unix_category="WEB PROD" earliest=-1d@d latest=@d| stats count by host | fields - count]

OR

unix_category="WEB PROD" earliest=-2d@d latest=now | stats values(date_mday) as Days by host | where mvcount(Days)=1

aweitzman · ‎06-11-2014

One thing that works nicely with the "| set diff" answer is to copy the field you're comparing to one with a different name (eval host2=host | stats count by host2) in the second search. Then when you get the results, each set's difference is in its own column (rather than combined together).

michal_centralw · ‎06-11-2014

superb! the first search worked like a charm!

comparing results from 2 days

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...