Solved: compare results in different days

stevesmith08 · ‎05-27-2019

Good day! I have two requests for different dates. I need to compare the results of the queries.

The following comparison command works correctly:
| set diff
[search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state]
[search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state]

But I need to add a field “date” to each result.

In the end, I want to track changes in the status of ports for different scan dates.

Could you help me, please?

Thanks

DavidHourani · ‎05-28-2019

Hi @stevesmith08,

You can use something like that if you want to add the date field :

sourcetype=“scan_results” date=“2019-05-27”  OR date=“2019-05-28”  
| stats dc(date) as condition values(date) as date by host, port, state 
| where condition <2

Cheers,
David

View solution in original post

DavidHourani · ‎05-28-2019

Hi @stevesmith08,

You can use something like that if you want to add the date field :

sourcetype=“scan_results” date=“2019-05-27”  OR date=“2019-05-28”  
| stats dc(date) as condition values(date) as date by host, port, state 
| where condition <2

Cheers,
David

stevesmith08 · ‎05-28-2019

Thanks! it works correctly

DavidHourani · ‎05-28-2019

you're welcome !

koshyk · ‎05-28-2019

hi Steve
You already have got the "date" field in the event. You could add it straight away or am i not understanding the issue correctly?

| set diff
[search sourcetype=“scan_results” date=“2019-05-27” | table host, port, state, date]
[search sourcetype=“scan_results” date=“2019-05-28” | table host, port, state, date]

.

stevesmith08 · ‎05-28-2019

If you explicitly specify the date in each subquery, the results they return differ in this field.

I need to compare only fields “host”, “port”, “state”

compare results in different days

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability