Splunk Search

Compare logs between two different datacenter and match the value.

DougiieDee
Explorer

I have two different datacenter . hostA and hostB are like datacenters and 1,2,3.... are hosts. hostA-1, hostA-2, hostA-3, hostA-4, hostA-5 . hostB-5, hostB-6, hostB-7, hostB-8.  and wanted to check side by side to those datacenters and only get the token value that matches. here is the sample log: 2021-08-05 19:01:59.677 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostA = 1 source = a.log sourcetype = a_log 2021-08-05 19:01:59.687 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostb = 6 source = a.log sourcetype = a_log

if the Authorization matches on both hostA and hostB then only the matched are needed. 
eg 
hostA                                hostB                                              result
asd132c                          asd132c                                     matched

Labels (5)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

@DougiieDee  Try below.

| rex "Authorization=\[(?<Authorization>[^\]]+).+\}\s{0,1}(?<host>\S+)"
| stats values(host) as hosts by Authorization
| where mvcount(hosts) >= 2 
| eval result = "matched" 

View solution in original post

DougiieDee
Explorer

@venkatasri can u help me on this??

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@DougiieDee  Try below.

| rex "Authorization=\[(?<Authorization>[^\]]+).+\}\s{0,1}(?<host>\S+)"
| stats values(host) as hosts by Authorization
| where mvcount(hosts) >= 2 
| eval result = "matched" 

ITWhisperer
SplunkTrust
SplunkTrust

Is this one or two events? There appear to be a timestamp start of the second event as part of the first event - is this just an artefact of copy/paste or are there really two events in one?

| rex "Authorization=\[(?<Authorization>[^\]]+)\].+(?<host>host\w+)\s=\s"
| eventstats values(host) as hosts by Authorization
| where mvcount(hosts) = 2

DougiieDee
Explorer

the hostA logs are being replicated to hostB datacenter. thats is the reason it is in both datacenter. this query didnt display any results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...