I am trying to filter events in Splunk that contain a unique field (payload.procName) that have not been seen before today. Specifically, I am looking for events that contain the payload.procName field that are appearing for the first time today. How can I filter these events to only show the unique payload.procName values that have been seen today but never seen before?
I've try this query :
tags.appInstance=your_index earliest=-1d latest= now() payload.procName NOT in
[| search tags.appInstance= your_index earliest=-1mon@mon latest=-1d table payload.procName
| dedup payload.procName ]
| table payload.procName
| dedup payload.procName
You have the general format for the query. See if this helps. It removes the IN keyword (incorrectly used as in) because the subsearch does not return results compatible with that operator. It also uses the format command to explicitly format the results. Run the subsearch by itself to see what I mean.
tags.appInstance=your_index earliest=-1d latest= now() payload.procName=* NOT
[search tags.appInstance= your_index earliest=-1mon@mon latest=-1d payload.procName=*
| fields payload.procName
| dedup payload.procName
| format ]
| dedup payload.procName
| table payload.procName