Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Listing a field where another specified field has changed?

a2368026
New Member
‎06-27-2017 03:44 AM

Hello Splunk Answers!

Excuse the rookie question. I have a splunk instance that is consuming data with events that look like this..

date, domain_accessed, user_visiting_domain, domain_category

I want to create a search where I compare the 'domain_category' on the current day to the same field over a specific period!

For instance I want the search to list domains that are currently categorised as 'storage' and then search over the previous months for the same domain but only show those which have NOT been previously categorised as 'storage'..

I.e I want to identify all 'domains_accessed' where the category has changed from '---' to 'storage' in a given period of time?

Any help gratefully received!

a2368026

Tags (1)
0 Karma
Reply

maciep
Champion
‎07-01-2017 06:29 AM

There are probably a bunch of ways to do this. You could use a subsearch to find all of the domains_accessed that were not storage and add those to filter your main search for current storage categories.

Or you could probably use join to combine results from todays data with last months data on the domains_accessed field - similar to a sql join.

But typically, if you can avoid subsearches and joins, then you probably should. And so I think you can get away with stats here.

index=some_access_logs 
| stats latest(domain_category) as current_category, earliest(domain_category) as first_category by domain_accessed 
| where current_category="Storage" AND first_category!="Storage"

So if you run that over a few months, it should provide you the domains_accessed that was not storage at the beginning of the period but is now. It won't tell you when it switched, not sure if that's needed? I know you say never previously Storage...but not sure when "previously" starts? If it matters when exactly it became storage, that's probably doable with stats too.

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...