- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to write a search to compare results from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Background: I'm trying to create a search that will let me know if something about a user is true within the last 7 days. I am then trying to run a search to see if that username has existed ever within the time before that first search. If they have, I don't want to display a count for them.
I have two different searches that I want to run:
First Search:
index=security extracted_eventtype=authentication something=true earliest=-7d | dedup username | table username
Second Search:
index=security extracted_eventtype=authentication latest=-8d earliest=-90d | dedup username | table username
Is there a way to compare these two searches and return the results of things that don't match, so basically only things that exist in the first search?
Example:
First search returns: Bob, Jim, Steve
Second Search returns: Bob, Fred, Mark, Todd
Ideally I would want a query that spits out: Jim and Steve because they are only unique things from the first search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try. Will show user names who have only appeared in last 7 days and never before in last 90 days (from 8-90 days period)
index=security extracted_eventtype=authentication something=true earliest=-90d | eval Period=if(_time>=relative_time(now(),"-7d"),1,2) | stats max(Period) as periods by username | where periods=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try. Will show user names who have only appeared in last 7 days and never before in last 90 days (from 8-90 days period)
index=security extracted_eventtype=authentication something=true earliest=-90d | eval Period=if(_time>=relative_time(now(),"-7d"),1,2) | stats max(Period) as periods by username | where periods=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick! Thanks so much! 🙂
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
