All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unix App - Report on Differences in Open Ports

aferone
Builder
‎11-03-2011 10:29 AM

We have the *NIX app working, and as an example, we have one system feeding netstat and open port data into it. We are feeding this data every hour. How can I send an alert if the reports each hour don't match? Basically, if a new port is opened, or an existing port is closed, we want to get an alert.

Thanks for the help, as always!

Reply
2 Solutions
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎11-03-2011 01:41 PM

Try the diff command:

http://docs.splunk.com/Documentation/Splunk/latest/Searchreference/Diff

index=os sourcetype=netstat host=your_host | head 2 | diff

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aferone
Builder
‎11-04-2011 10:36 AM

Thank you for the answer!

Now, I am trying to create a alert for this. Under normal conditions, I get the "** Results are the Same **" message. However, when there is a difference, for example, I get this:

@@ -15,3 +15,4 @@
udp 52480
udp 20031
udp 5353
+udp 1514

I am trying to set up the alert so that obviously it only send us an email when there is a difference. I tried using the custom condition in the alert to exclude the "** Results are the Same **" message, but it is not working.

Any suggestions? Thanks again!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aferone
Builder
‎11-04-2011 10:36 AM

Thank you for the answer!

Now, I am trying to create a alert for this. Under normal conditions, I get the "** Results are the Same **" message. However, when there is a difference, for example, I get this:

@@ -15,3 +15,4 @@
udp 52480
udp 20031
udp 5353
+udp 1514

I am trying to set up the alert so that obviously it only send us an email when there is a difference. I tried using the custom condition in the alert to exclude the "** Results are the Same **" message, but it is not working.

Any suggestions? Thanks again!

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎11-09-2011 08:40 AM

This worked perfectly. Thank you!

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎11-07-2011 04:19 PM

I think you can filter no-diffs out by adding one of the following to your search:

... | search linecount > 2
... | search NOT "Results are the Same"
0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎11-03-2011 01:41 PM

Try the diff command:

http://docs.splunk.com/Documentation/Splunk/latest/Searchreference/Diff

index=os sourcetype=netstat host=your_host | head 2 | diff
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...