Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count number of occurrences made of a "set diff" command, using a different time range

evang_26
Communicator
‎08-27-2014 02:16 AM

Hi,

I am challenging myself to solve a problem which came up last week.

The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame.

I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table.

| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip

Above query works till the end of "set diff". Where everything is screwed up is on the search.

I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful.

Regards,
Evang

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-27-2014 01:55 PM

Try this (assuming, for searching in the longer period, the source remains the same)

source=*Host_Enumeration* earliest=-30d latest=now  [| set diff [search source=*Host_Enumeration*  earliest=-14d@d latest=-8d@d    | stats count by dest_ip |sort dest_ip  | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now   | stats count by dest_ip  |sort dest_ip  | table dest_ip ]] 
| stats count(dest_ip) by dest_ip
Reply
Solved! Jump to solution

evang_26
Communicator
‎09-01-2014 05:17 AM

Thank you very much somesoni2.

That worked perfectly!

Regards,
Evang

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...