Deployment Architecture

Last command and kernel update

New Member

Hi, need your thoughts and help,

Scenario: someone rebooted several servers and updated the kernel from one version to another.

Question: how can we find what kernel version that is running now and what was running before reboot

I saw in the “last | grep reboot” I see that one a given date I see reboot like this

For example:

Server1$ last | grep reboot

reboot system boot 4.9.0-3-amd64 Sat Jul 15 19:19 still running
reboot system boot 3.9. 0-3-amd64 Fri Jul 14 19:19 running

I want to get the two lines and display what is current kernel version and what was previous kernel version

Is this possible in splunk?


Tags (3)
0 Karma


Something like this would work best for your problem:

reboot system boot| rex "system boot (?<kernal>\S+)" | stats values(kernal) as kernals by host

All the best

0 Karma