Re: Device Configuration checking

keiichilam · ‎02-19-2012

HI I have a problem.

I have a NAS that have a mail folder to store Devices' configuration file.
Each device will have a separate directory to its configuration.
A configuration commit in the device will automatically save a new copy in own folder and each day a copy will automatically generate at specific time, for example, 12:00am.

I want to use splunk to figure out change of the configuration

I could use diff and head to pull out last 5 configuration and diff on it.
but boss want to add an additional comparison whcih compare to the last file one day ago.

sourcetype="deviceconfig" host="switch1" latest_time=now | head 5 | diff position1=1 position2=2 
| append [ search sourcetype="deviceconfig" host="switch1" latest_time=now | head 5 | diff position1=2 position2=3 ] 
| append [ search sourcetype="deviceconfig" host="switch1" latest_time=now | head 5 | diff position1=3 position2=4 ] 
| append [ search sourcetype="deviceconfig" host="switch1" latest_time=now | head 5 | diff position1=4 position2=5 ] 
| rex  "@@\s*(?<para1> [+-]?\d*,\d*\s*[+-]?\d*,\d*)\s*@@" max_match=50 | rex max_match=100 "(?<para2>\n[+-][ a-zA-Z0-9].*)" | rex "hostname\s*(?<host_name>\w*)" 
| eval count=mvcount(para1)|table _time host count para2

Do anyone know how I could check against the configuration file one day ago ?
Or I should say How I can find the last event one day ago?

MarioM · ‎02-20-2012

what about this :

<your search> earliest=-1d@d latest=@d | head 1

keiichilam · ‎02-21-2012

Thank you I will try this out.

Device Configuration checking

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...