https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243023#M72310 <P>Hi Experts,</P> <P>Is it possible to do event based comparison on file SAVE?</P> <P>Events compare with previous file and present file and provide differences.</P> Tue, 11 Oct 2016 22:25:16 GMT rajgowd1 2016-10-11T22:25:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243023#M72310 <P>Hi Experts,</P> <P>Is it possible to do event based comparison on file SAVE?</P> <P>Events compare with previous file and present file and provide differences.</P> Tue, 11 Oct 2016 22:25:16 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243023#M72310 rajgowd1 2016-10-11T22:25:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243024#M72311 <P>I cannot send you now because my pc is and will be offline until Tomorrow, but in the Splunk partner kit there is an example that solves your problem.<BR /> If you'll never find, I'll send it to you Tomorrow.<BR /> Bye.<BR /> Giuseppe </P> Wed, 12 Oct 2016 05:57:26 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243024#M72311 gcusello 2016-10-12T05:57:26Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243025#M72312 <P>Hi Giuseppe,<BR /> I tried and new to splunk.i am not able to find in the splunk partner kit.please send me once you get a chance.</P> Wed, 12 Oct 2016 14:21:25 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243025#M72312 rajgowd1 2016-10-12T14:21:25Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243026#M72313 <P>Hi rajgowd1,<BR /> Ask to your Splunk Channel Manager for Partner Kit: it's very useful to see some applications and examples, I cannot send you because it's very large.</P> <P>Every way, App is very old but useful only to see the approach.</P> <P>In inputs.conf you can see how to load changes and files.</P> <PRE><CODE>[fschange:/your_files_to_monitor_with_full_path] sourcetype = fschange index = main recurse = true pollPeriod = 5 fullEvent = true sendEventMaxSize = -1 hashMaxSize = 99999999 index = changemgmt disabled = 0 [monitor://your_files_to_monitor_with_full_path] followTail = 0 sourcetype = config_file index = changemgmt disabled = 0 </CODE></PRE> <P>You can show modification using panels with searches like these:</P> <PRE><CODE>Top actions index=changemgmt sourcetype=fschange | top action Type of changes made over a period index=changemgmt sourcetype=fschange | timechart count by action Change Results index=changemgmt sourcetype=fschange | table host, _time, action, path Detailed Configuration Changes index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,- </CODE></PRE> <P>Obviously you have to extract the fields to use in searches.</P> <P>I hope to be useful for you.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 14 Oct 2016 07:31:14 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243026#M72313 gcusello 2016-10-14T07:31:14Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243027#M72314 <P>HI Giuseppe,</P> <P>Thank you so much. I tried the configuration which you provided and tried all search commands. Everything is working as expected.</P> <P>Do I need to restart the Splunk instance if I make any changes in inputs.conf file?</P> <P>When I try this command</P> <PRE><CODE>index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,- </CODE></PRE> <P>it is showing the events like below</P> <PRE><CODE>--- fschangemonitor +++ /home/splunk/config/Chrystoki.conf @@ -1 +1,8 @@ -Fri Oct 14 12:07:01 2016 action=update, path="//home/splunk/config/Chrystoki.conf", isdir=0, size=1627, gid=500, uid=500, modtime="Fri Oct 14 12:06:25 2016", mode="rw-rw-r--", hash=F6D1B2512F5F32A1357A1CE7B16888A54C26CDC6AA7C0A17EFE6FF3DC3130AFE, chgs="modtime hash " +Luna = { + DefaultTimeOut = 200000; + PEDTimeout1 = 100000; + PEDTimeout2 = 100000; + PEDTimeout3 = 10000; + KeypairGenTimeOut = 2700000; + CloningCommandTimeOut = 300000; +} </CODE></PRE> <P>is it possible to show only the content with good representation?</P> Fri, 14 Oct 2016 16:24:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243027#M72314 rajgowd1 2016-10-14T16:24:33Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243028#M72315 <P>To use the new inputs.conf you have to restart Splunk.</P> <P>The panel shows differences between files that you wanted to highlight.</P> <P>You could also show the single files highlighting differences found with that search.<BR /> Something like this (I cannot test it now):</P> <PRE><CODE>index=changemgmt source=config_file1 [index=changemgmt sourcetype=config_file | diff diffheader=tru] </CODE></PRE> <P>Try it.<BR /> Bye.<BR /> Giuseppe </P> Fri, 14 Oct 2016 17:00:09 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243028#M72315 gcusello 2016-10-14T17:00:09Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243029#M72316 <P>HI Giuseppe,</P> <P>I just tried this search below, it says <CODE>Unknown search command 'index'</CODE>.</P> <PRE><CODE>index=test_index source=/home/splunk/config/simple.conf [index="test_idex" sourcetype=conf | diff diffheader=true] </CODE></PRE> <P>So then I tried this search:</P> <PRE><CODE>index=test_index source=/home/splunk/config/simple.conf [search index=test_index source=conf| diff diffheader=true] </CODE></PRE> <P>but it is not showing any results.<BR /> <CODE>[subsearch]: command="diff", pos1=1 is out of bounds</CODE></P> Fri, 14 Oct 2016 17:31:32 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243029#M72316 rajgowd1 2016-10-14T17:31:32Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243030#M72317 <P>Hi Giuseppe,<BR /> when use the search index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,-<BR /> sometimes showing modified changes but sometimes not.do you have any idea why its behaving like this.</P> Tue, 08 Nov 2016 16:38:05 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243030#M72317 rajgowd1 2016-11-08T16:38:05Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243031#M72318 <P>Hi Giuseppe,<BR /> when use the search index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,-<BR /> sometimes showing modified changes but sometimes not.do you have any idea why its behaving like this.</P> Tue, 08 Nov 2016 16:39:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-event-based-comparison-on-file-SAVE/m-p/243031#M72318 rajgowd1 2016-11-08T16:39:33Z