https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15463#M1726 <P>I have the following log messages coming from syslog-ng</P> <P>Jun 14 10:32:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=175194', processed='center(received)=109152', processed='destination(d_resin)=51369', processed='destination(d_boot)=0', processed='destination(d_auth)=439', processed='destination(d_cron)=362', processed='destination(d_mlal)=0', processed='destination(loghost)=109152', processed='destination(d_mesg)=93', processed='destination(d_cons)=0', processed='destination(d_snmp)=6782', processed='destination(d_spol)=0', processed='destination(d_mail)=6997', processed='source(s_sys)=66165', processed='source(s_tail)=42187', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>Jun 14 10:22:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=173017', processed='center(received)=107903', processed='destination(d_resin)=50855', processed='destination(d_boot)=0', processed='destination(d_auth)=430', processed='destination(d_cron)=359', processed='destination(d_mlal)=0', processed='destination(loghost)=107903', processed='destination(d_mesg)=92', processed='destination(d_cons)=0', processed='destination(d_snmp)=6610', processed='destination(d_spol)=0', processed='destination(d_mail)=6768', processed='source(s_sys)=65231', processed='source(s_tail)=41872', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>Jun 14 10:12:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=171101', processed='center(received)=106828', processed='destination(d_resin)=50405', processed='destination(d_boot)=0', processed='destination(d_auth)=416', processed='destination(d_cron)=338', processed='destination(d_mlal)=0', processed='destination(loghost)=106828', processed='destination(d_mesg)=87', processed='destination(d_cons)=0', processed='destination(d_snmp)=6428', processed='destination(d_spol)=0', processed='destination(d_mail)=6599', processed='source(s_sys)=64382', processed='source(s_tail)=41646', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>I am using the following query to generate a diff of the field in this message I want (in this case the dropped field)</P> <P>syslog-ng "Log statistics" host="sc4-cron*" | rex "(?i)^(?:[^=]<EM>=){2}(?P[^']</EM>)(?=')" | search DROPPED="<EM>" | delta DROPPED as DROPPEDDIFF | search DROPPEDDIFF="</EM>"</P> <P>this works fine on a single host, however, I would like to run this across all of my hosts. The problem I then encounter, is that the previous log message is not from the same host as the latest message, therefore the diffs that are created are not accurate.</P> <P>I have hundreds of hosts, and would like to build a report on this data, however, I can't really go and do them all individually. In addition getting all of this into one report would be ideal.</P> Tue, 15 Jun 2010 00:58:09 GMT mcafeesecure 2010-06-15T00:58:09Z https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15463#M1726 <P>I have the following log messages coming from syslog-ng</P> <P>Jun 14 10:32:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=175194', processed='center(received)=109152', processed='destination(d_resin)=51369', processed='destination(d_boot)=0', processed='destination(d_auth)=439', processed='destination(d_cron)=362', processed='destination(d_mlal)=0', processed='destination(loghost)=109152', processed='destination(d_mesg)=93', processed='destination(d_cons)=0', processed='destination(d_snmp)=6782', processed='destination(d_spol)=0', processed='destination(d_mail)=6997', processed='source(s_sys)=66165', processed='source(s_tail)=42187', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>Jun 14 10:22:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=173017', processed='center(received)=107903', processed='destination(d_resin)=50855', processed='destination(d_boot)=0', processed='destination(d_auth)=430', processed='destination(d_cron)=359', processed='destination(d_mlal)=0', processed='destination(loghost)=107903', processed='destination(d_mesg)=92', processed='destination(d_cons)=0', processed='destination(d_snmp)=6610', processed='destination(d_spol)=0', processed='destination(d_mail)=6768', processed='source(s_sys)=65231', processed='source(s_tail)=41872', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>Jun 14 10:12:04 sc4-cron.mcafeesecure.com syslog-ng[2775]: Log statistics; dropped='tcp(AF_INET(10.98.202.126:514))=1613614', processed='center(queued)=171101', processed='center(received)=106828', processed='destination(d_resin)=50405', processed='destination(d_boot)=0', processed='destination(d_auth)=416', processed='destination(d_cron)=338', processed='destination(d_mlal)=0', processed='destination(loghost)=106828', processed='destination(d_mesg)=87', processed='destination(d_cons)=0', processed='destination(d_snmp)=6428', processed='destination(d_spol)=0', processed='destination(d_mail)=6599', processed='source(s_sys)=64382', processed='source(s_tail)=41646', processed='source(s_raccess)=800', processed='source(s_tail_2)=0'</P> <P>I am using the following query to generate a diff of the field in this message I want (in this case the dropped field)</P> <P>syslog-ng "Log statistics" host="sc4-cron*" | rex "(?i)^(?:[^=]<EM>=){2}(?P[^']</EM>)(?=')" | search DROPPED="<EM>" | delta DROPPED as DROPPEDDIFF | search DROPPEDDIFF="</EM>"</P> <P>this works fine on a single host, however, I would like to run this across all of my hosts. The problem I then encounter, is that the previous log message is not from the same host as the latest message, therefore the diffs that are created are not accurate.</P> <P>I have hundreds of hosts, and would like to build a report on this data, however, I can't really go and do them all individually. In addition getting all of this into one report would be ideal.</P> Tue, 15 Jun 2010 00:58:09 GMT https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15463#M1726 mcafeesecure 2010-06-15T00:58:09Z https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15464#M1727 <P>You can use the <CODE>streamstats</CODE> command, something like:</P> <PRE><CODE>... | streamstats current=f global=f window=1 first(DROPPED) as NEXT_DROPPED by host | eval DROPPEDDIFF = NEXT_DROPPED-DROPPED </CODE></PRE> <P>Something like that. You may have to reverse the subtraction, I'm not sure which way around it goes, and well, it might be off-by-one, i.e. the diff might be on the <EM>previous</EM> vs the <EM>current</EM> result, but you get the idea.</P> Tue, 15 Jun 2010 01:39:17 GMT https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15464#M1727 gkanapathy 2010-06-15T01:39:17Z https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15465#M1728 <P>Thanks.<BR /> For the record, the final query looks like this:</P> <P>syslog-ng "Log statistics" host!="qa2-cron*" | rex "(?i)^(?:[^=]<EM>=){2}(?P<DROPPED>[^']</DROPPED></EM>)(?=')" | search DROPPED="*" | streamstats current=f global=f window=1 first(DROPPED) as NEXT_DROPPED by host | eval DROPPEDDIFF = NEXT_DROPPED-DROPPED | search DROPPEDDIFF&gt;0</P> Mon, 28 Sep 2020 09:13:50 GMT https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15465#M1728 mcafeesecure 2020-09-28T09:13:50Z https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15466#M1729 <P>Thank you, you helped me solve my problem.</P> Sat, 16 Apr 2016 19:50:18 GMT https://community.splunk.com/t5/Getting-Data-In/delta-report-for-multiple-hosts/m-p/15466#M1729 morian 2016-04-16T19:50:18Z