Splunk Search

how to pass parameters to search command

rajgowd1
Communicator

i am trying to search some strings like Error OR WARNING and IPADDRESS or HOSTNAME from /var/log/messages file and display the content as events

index=test_idx source=/var/log/messages ERROR OR Error OR error

i have host names and IPADDRESS are available in txt file called hostnames.txt and is available under /home/splunk
169.182.202.153
169.152.202.143
i am retrieving these IP's from config file and storing it in text file.there is a chance to add Ip's on daily basis.

how to pass IPADDRESSES to search command including with Error OR Warning

Tags (1)
0 Karma
1 Solution

Ravan
Path Finder

I can think couple of ways here.

  • Have this list uploaded in to splunk as lookup file and use it in sub-search search

Ex:
index=test_idx source=/var/log/messages ERROR OR Error OR error [|inputlookup lookup_hosts.csv|table host]

  • You can configure splunk to monitor this hostnames.txt file on daily basis and index the logs on a different index. Then use it on your search again.

index=test_idx source=/var/log/messages ERROR OR Error OR error [search index=host_names earliest=-24h | dedup host|table host]

View solution in original post

0 Karma

Ravan
Path Finder

Hi Rajgowd,

Can you check the permission of the script " $SPLUNK_HOME/etc/your_app/bin/txt2csv.sh" ..? you need to set something like "chmod 755 txt2csv.sh" and reload splunk one more time. And set the same permissions for commands.conf too.

You may have to remove the below part of your script , because you need not redirect the output again , we are going to use it directly at search time right ..?

${configPath}/devices.txt

And you can add any script like this in splunk. Once everything is set properly you should see these custom search command from UI too "Settings >>Advanced search » Search commands"

You can edit this script directly from bin directory which get updates automatically.

0 Karma

rajgowd1
Communicator

Hi Ravan,
i tried your suggestions and when i try to search and getting below error

index=netstat [|hsmsys]
Error in 'hsmsys' command: Cannot find program 'hsmsys' or script 'hsmsys'.

0 Karma

Ravan
Path Finder

I can think couple of ways here.

  • Have this list uploaded in to splunk as lookup file and use it in sub-search search

Ex:
index=test_idx source=/var/log/messages ERROR OR Error OR error [|inputlookup lookup_hosts.csv|table host]

  • You can configure splunk to monitor this hostnames.txt file on daily basis and index the logs on a different index. Then use it on your search again.

index=test_idx source=/var/log/messages ERROR OR Error OR error [search index=host_names earliest=-24h | dedup host|table host]

0 Karma

rajgowd1
Communicator

Hi Ravan,
thanks for your response.

my requirement is how to pass host names or IPADDRESS to search query
i have 3 hostnames names in my txt file and it might more like 6 to 7 IP's
169.172.202.123
169.172.202.124
169.132.202.114

something like

index=test_idx source=/var/log/messages ERROR OR Error OR error OR IP1 OR IP2 OR IP3

0 Karma

Ravan
Path Finder

Hey Rajgowd,

I see some cool suggestions here. I believe you are familiar now how sub-search works.

index=test_idx source=/var/log/messages ERROR OR Error OR error [inputlookup hostnames.csv | fields ip | format]

This actually means

index=test_idx source=/var/log/messages ERROR OR Error OR error (IP1 OR IP2 OR IP3.....)

And since you mentioned about the script to generate these ip's from sample.conf. You can actually create a custom search command with this script and use it to directly on your search.

Steps :

  • Place your script file (.bat, .cmd, .exe, .js, .pl, .py, .sh) under $SPLUNK_HOME/etc/your_app/bin directory.
  • Update/Create commands.conf on $SPLUNK_HOME/etc/your_app/local/ directory.

Ex: $SPLUNK_HOME/etc/search/local/commands.conf
[rajgowd]
file = ip_script.sh
- Refresh the app via url "http://SPLUNKHOST:8000/debug/refresh"

After these steps you can use this custom command "rajgowd" directly on your search.

Ex:

index=test_idx source=/var/log/messages ERROR OR Error OR error [ |rajgowd]

OR

use the script to update lookup and use lookup in the search

| rajgowd | outputlookup lookup_ips.csv

0 Karma

rajgowd1
Communicator

Hi Ravan,
i implemented custom search command and followed steps u mentioned in your comments.

here is my script which retrieve IP's and store it it file

!/bin/bash

configPath="/home/splunk/config"
cat ${configPath}/sample.conf | grep ServerName | awk '{print $3}' | cut -f1 -d';' > ${configPath}/devices.txt

cat devices.txt
169.172.202.13
poc-citi-luna1.nam.ns
169.172.202.14

i placed this script under $SPLUNK_HOME/etc/your_app/bin and created commands.conf file under local directory

cat commands.conf
[hsmsys]
file = txt2csv.sh
and refresh the app via mentioned url by changing hostname in url

when i run index=netstat [|hsmsys]

getting error like
Error in 'hsmsys' command: Cannot find program 'hsmsys' or script 'hsmsys'.

not sure if i miss any here.

i have fewdoubts here
how to update my script in future or day to day basis to load new IP's?
whatever the script i have,will it work here?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...