All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Unix App - Report on Differences in Open Ports

aferone
Builder
‎11-03-2011 10:29 AM

We have the *NIX app working, and as an example, we have one system feeding netstat and open port data into it. We are feeding this data every hour. How can I send an alert if the reports each hour don't match? Basically, if a new port is opened, or an existing port is closed, we want to get an alert.

Thanks for the help, as always!

Reply
2 Solutions
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎11-03-2011 01:41 PM

Try the diff command:

http://docs.splunk.com/Documentation/Splunk/latest/Searchreference/Diff

index=os sourcetype=netstat host=your_host | head 2 | diff

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aferone
Builder
‎11-04-2011 10:36 AM

Thank you for the answer!

Now, I am trying to create a alert for this. Under normal conditions, I get the "** Results are the Same **" message. However, when there is a difference, for example, I get this:

@@ -15,3 +15,4 @@
udp 52480
udp 20031
udp 5353
+udp 1514

I am trying to set up the alert so that obviously it only send us an email when there is a difference. I tried using the custom condition in the alert to exclude the "** Results are the Same **" message, but it is not working.

Any suggestions? Thanks again!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aferone
Builder
‎11-04-2011 10:36 AM

Thank you for the answer!

Now, I am trying to create a alert for this. Under normal conditions, I get the "** Results are the Same **" message. However, when there is a difference, for example, I get this:

@@ -15,3 +15,4 @@
udp 52480
udp 20031
udp 5353
+udp 1514

I am trying to set up the alert so that obviously it only send us an email when there is a difference. I tried using the custom condition in the alert to exclude the "** Results are the Same **" message, but it is not working.

Any suggestions? Thanks again!

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎11-09-2011 08:40 AM

This worked perfectly. Thank you!

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎11-07-2011 04:19 PM

I think you can filter no-diffs out by adding one of the following to your search:

... | search linecount > 2
... | search NOT "Results are the Same"
0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎11-03-2011 01:41 PM

Try the diff command:

http://docs.splunk.com/Documentation/Splunk/latest/Searchreference/Diff

index=os sourcetype=netstat host=your_host | head 2 | diff
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...