Splunk Search

Compare logs between two different datacenter and match the value.

DougiieDee
Explorer

I have two different datacenter . hostA and hostB are like datacenters and 1,2,3.... are hosts. hostA-1, hostA-2, hostA-3, hostA-4, hostA-5 . hostB-5, hostB-6, hostB-7, hostB-8.  and wanted to check side by side to those datacenters and only get the token value that matches. here is the sample log: 2021-08-05 19:01:59.677 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostA = 1 source = a.log sourcetype = a_log 2021-08-05 19:01:59.687 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostb = 6 source = a.log sourcetype = a_log

if the Authorization matches on both hostA and hostB then only the matched are needed. 
eg 
hostA                                hostB                                              result
asd132c                          asd132c                                     matched

Labels (5)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

@DougiieDee  Try below.

| rex "Authorization=\[(?<Authorization>[^\]]+).+\}\s{0,1}(?<host>\S+)"
| stats values(host) as hosts by Authorization
| where mvcount(hosts) >= 2 
| eval result = "matched" 

View solution in original post

DougiieDee
Explorer

@venkatasri can u help me on this??

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@DougiieDee  Try below.

| rex "Authorization=\[(?<Authorization>[^\]]+).+\}\s{0,1}(?<host>\S+)"
| stats values(host) as hosts by Authorization
| where mvcount(hosts) >= 2 
| eval result = "matched" 

ITWhisperer
SplunkTrust
SplunkTrust

Is this one or two events? There appear to be a timestamp start of the second event as part of the first event - is this just an artefact of copy/paste or are there really two events in one?

| rex "Authorization=\[(?<Authorization>[^\]]+)\].+(?<host>host\w+)\s=\s"
| eventstats values(host) as hosts by Authorization
| where mvcount(hosts) = 2

DougiieDee
Explorer

the hostA logs are being replicated to hostB datacenter. thats is the reason it is in both datacenter. this query didnt display any results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...