Getting Data In

How could I specifit someday for splunk oneshot to Splunk Indexer?

splunksuperman
Explorer

Hi guys,

I have a set of data in the following format:

未命名.png

This is a manually exported list, and my requirements are as follows:

- Objective: I need to identify hosts that haven't connected to the server for a long time and track the daily changes in these numbers.
- Method: Since I need daily statistics, I must perform the import action daily. However, without any configuration changes, Splunk defaults to using "Last Communicaiton" as "_time", which is not what I want. I need "_time" to reflect the date of the import.

This way, I can track changes in the count of "Last " records within each day's imported data.

I can't use folder or file monitoring for this because it only adds new data, so my only options are to use oneshot or to perform the import via the Web interface.

Is my approach correct? If not, what other methods could be used to handle this?

 

I could use splunk oneshot to upload the file to the Splunk indexer, but I couldn't adjust the date to the import day or specific day. 

 The example I used the command:

 

splunk add oneshot D:\upload.csv -index indexdemo

 

 

I want the job will run automatically. So I don't want to change any content to the file.

How could I do?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunksuperman ,

I suppose that you're using a CSV file to inport these data.

You have two choices:

  • use as timestamp a date and time in each row of the csv file (if present),
  • use the current time (the index time) as timestamp.

for both the solutions, you have to add an option in your sourcetype stanza in props.conf:

for the first one:

[your_sourcetype]
TIMESTAMP_FIELDS = <your_timestamp_field>

for the second one:

[your_sourcetype]
DATETIME_CONFIG = CURRENT

Then, to check if a server isn't sending logs, you have two choices:

create a lookup containing the list of the hosts to monitor (called e.g. perimeter.csv and containing at least one field called "host") and running a search like the following that checks if there are logs from the listed hosts in the last 24 hours:

| tstats count WHERE index=your_index earliest=-24h latest=now BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

or checking if a server sent logs in the last 30 days but not in the last 24 hours with the following search:

| tstats 
     latest(_time) AS latest 
     count 
     WHERE index=your_index earliest=-30d latest=now
     BY host
| eval 
     period=if(latest<now()-86400,"Previous","Latest",
     latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| where period="Previous"
| table host latest
| rename latest AS "Last Connection"

Ciao.

Giuseppe

 

splunksuperman
Explorer

Thanks for your reply!

But if I use oneshot to upload the csv file, could it match the specific sourcetype I added in the props.conf?

0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

Hello @splunksuperman oneshot is typically used in development/testing environments when you want to do below. you can try for loop and wrap the command in it.

  • Upload a file once to Splunk
  • Don't want to set up an ongoing input
  • Need to directly copy data into Splunk Enterprise

Refer: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI#...

For your data onboarding consider using a monitored input on a forwarder or use the splunk add-on for Microsoft Windows if dealing with Windows files.


If this Helps, Please UpVote

0 Karma

splunksuperman
Explorer

I have clarified my requirements above, which might make it easier to understand.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...