topic Re: Compare logs between two different datacenter and match the value. in Splunk Search

Compare logs between two different datacenter and match the value.

DougiieDee — Mon, 09 Aug 2021 14:31:19 GMT

I have two different datacenter . hostA and hostB are like datacenters and 1,2,3.... are hosts. hostA-1, hostA-2, hostA-3, hostA-4, hostA-5 . hostB-5, hostB-6, hostB-7, hostB-8. and wanted to check side by side to those datacenters and only get the token value that matches. here is the sample log: 2021-08-05 19:01:59.677 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostA = 1 source = a.log sourcetype = a_log 2021-08-05 19:01:59.687 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostb = 6 source = a.log sourcetype = a_log

if the Authorization matches on both hostA and hostB then only the matched are needed.
eg
hostA hostB result
asd132c asd132c matched

Re: Compare logs between two different datacenter and match the value.

ITWhisperer — Mon, 09 Aug 2021 14:56:38 GMT

Is this one or two events? There appear to be a timestamp start of the second event as part of the first event - is this just an artefact of copy/paste or are there really two events in one?

| rex "Authorization=\[(?<Authorization>[^\]]+)\].+(?<host>host\w+)\s=\s" | eventstats values(host) as hosts by Authorization | where mvcount(hosts) = 2

Re: Compare logs between two different datacenter and match the value.

DougiieDee — Mon, 09 Aug 2021 16:30:49 GMT

the hostA logs are being replicated to hostB datacenter. thats is the reason it is in both datacenter. this query didnt display any results.

Re: Compare logs between two different datacenter and match the value.

DougiieDee — Fri, 13 Aug 2021 07:16:05 GMT

@venkatasri can u help me on this??

Re: Compare logs between two different datacenter and match the value.

venkatasri — Sat, 14 Aug 2021 08:47:33 GMT

@DougiieDee Try below.

| rex "Authorization=\[(?<Authorization>[^\]]+).+\}\s{0,1}(?<host>\S+)" | stats values(host) as hosts by Authorization | where mvcount(hosts) >= 2 | eval result = "matched"