Hi, need your thoughts and help,
Scenario: someone rebooted several servers and updated the kernel from one version to another.
Question: how can we find what kernel version that is running now and what was running before reboot
I saw in the “last | grep reboot” I see that one a given date I see reboot like this
Server1$ last | grep reboot
reboot system boot 4.9.0-3-amd64 Sat Jul 15 19:19 still running
reboot system boot 3.9. 0-3-amd64 Fri Jul 14 19:19 running
I want to get the two lines and display what is current kernel version and what was previous kernel version
Is this possible in splunk?
Something like this would work best for your problem:
reboot system boot| rex "system boot (?<kernal>\S+)" | stats values(kernal) as kernals by host
All the best