- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- How do I compare two chunks of multiple values of ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I compare two chunks of multiple values of different fields from different events?
Hi,
I am using Splunk Enterprise Version 9 where the new index _configtracker is able to show changes made to configuration files.
However, it is hard to identify the changes made to a correlation search in savedsearches.conf at a glance or use the data.changes{}.properties{}.new_value field as it contains multiple values.
Furthermore, the change is spread over two events where one shows data.changes{}.properties{}.new_value (post-change field.jpg) and the other shows data.changes{}.properties{}.old_value (empty values)
How can I compare all the multiple values under the field and return the property that is being changed?
I am guessing I can link the two events using the "new_checksum" and "old_checksum".
I removed most of the fields to make it easier to read and changed the content of the SPL to <Search content> to mask some information.
Pre-change raw details:
{"datetime":"06-21-2022 16:29:41.119 +0800","log_level":"INFO ","component":"ConfigChange","data":{"path":"/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf","action":"update","modtime":"Tue Jun 21 16:29:41 2022","epoch_time":"1655800181","new_checksum":"0x621552b3fcbdfc9e","old_checksum":"0x95c4bf5f0b449f9","changes":[{"stanza":"Endpoint - Linux/MS - Server Reboot/Shutdown - Rule","properties":[{"name":"action.correlationsearch.annotations","new_value":"","old_value":"{}"},{"name":"realtime_schedule","new_value":"","old_value":"0"},
{"name":"search","new_value":"","old_value":"(<Search content>"}]}]}}
Post-change raw details:
{"datetime":"06-21-2022 16:29:41.642 +0800","log_level":"INFO ","component":"ConfigChange","data":{"path":"/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf","action":"update","modtime":"Tue Jun 21 16:29:41 2022","epoch_time":"1655800181","new_checksum":"0xf5867665b8a15f4","old_checksum":"0x621552b3fcbdfc9e","changes":[{"stanza":"Endpoint - Linux/MS - Server Reboot/Shutdown - Rule","properties":[{"name":"action.correlationsearch.annotations","new_value":"{}","old_value":""},{"name":"realtime_schedule","new_value":"0","old_value":""},
{"name":"search","new_value":"(<Search content>","old_value":""}]}]}}
Regards,
Zijian
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
