Hi guys,
I have a set of data in the following format:
This is a manually exported list, and my requirements are as follows:
- Objective: I need to identify hosts that haven't connected to the server for a long time and track the daily changes in these numbers.
- Method: Since I need daily statistics, I must perform the import action daily. However, without any configuration changes, Splunk defaults to using "Last Communicaiton" as "_time", which is not what I want. I need "_time" to reflect the date of the import.
This way, I can track changes in the count of "Last " records within each day's imported data.
I can't use folder or file monitoring for this because it only adds new data, so my only options are to use oneshot or to perform the import via the Web interface.
Is my approach correct? If not, what other methods could be used to handle this?
I could use splunk oneshot to upload the file to the Splunk indexer, but I couldn't adjust the date to the import day or specific day.
The example I used the command:
splunk add oneshot D:\upload.csv -index indexdemo
I want the job will run automatically. So I don't want to change any content to the file.
How could I do?
Hi @splunksuperman ,
I suppose that you're using a CSV file to inport these data.
You have two choices:
for both the solutions, you have to add an option in your sourcetype stanza in props.conf:
for the first one:
[your_sourcetype]
TIMESTAMP_FIELDS = <your_timestamp_field>
for the second one:
[your_sourcetype]
DATETIME_CONFIG = CURRENT
Then, to check if a server isn't sending logs, you have two choices:
create a lookup containing the list of the hosts to monitor (called e.g. perimeter.csv and containing at least one field called "host") and running a search like the following that checks if there are logs from the listed hosts in the last 24 hours:
| tstats count WHERE index=your_index earliest=-24h latest=now BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
or checking if a server sent logs in the last 30 days but not in the last 24 hours with the following search:
| tstats
latest(_time) AS latest
count
WHERE index=your_index earliest=-30d latest=now
BY host
| eval
period=if(latest<now()-86400,"Previous","Latest",
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| where period="Previous"
| table host latest
| rename latest AS "Last Connection"
Ciao.
Giuseppe
Thanks for your reply!
But if I use oneshot to upload the csv file, could it match the specific sourcetype I added in the props.conf?
Hello @splunksuperman oneshot is typically used in development/testing environments when you want to do below. you can try for loop and wrap the command in it.
Refer: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI#...
For your data onboarding consider using a monitored input on a forwarder or use the splunk add-on for Microsoft Windows if dealing with Windows files.
If this Helps, Please UpVote
I have clarified my requirements above, which might make it easier to understand.