Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditional Splunk Query (if else)

GRC
Path Finder
‎10-25-2021 03:39 AM

Hi Champions,

In this below mentioned dataset. I want to create a conditional splunk query. 

Ex: I want to check first whether rsyslog service is stopped, if it stopped then who stopped it, in which server, then display the results in a table. 

Can you please help ?

Oct 25 16:30:06 keybox sudosh: KHYJS6PxEI64zG Henry: service rsyslog start
Oct 25 16:30:02 keybox sudosh: KHYJS6PxEI64zG Joseph: #011service rsyslog stop
Oct 25 15:15:30 keybox sudosh: ssNjFZca22OvaB Henry: service rsyslog stop
Oct 25 15:08:26 keybox sudosh: ssNjFZla22OvaB Henry: #011service rsyslog start
Oct 25 15:07:46 keybox sudosh: ssNjFZla22OvaB Joseph: service rsyslog status
Oct 25 15:06:21 keybox sudosh: ssNjF0la22OvaB Asher: service rsyslog statutss
Oct 25 14:49:57 eqc-03-tpp sudosh: gkrMz1dLey0CS1 John: cat /etc/red#011#177#177#177#177#177#177#177#177#177#177#177#177#177#177#177r#177#177#177#177#177#177#177#177#177#177#177#177#177sys#177#177ervice rsyslog status
Oct 25 14:48:26 keybox sudosh: VSjTDhPH3iM5MY Ahser: service rsyslog status

Fields are:

I tried with the below mentioned query, but unable to create a conditional query. 

index = sudosh_app_protected  host = *

|eval "Critical Logging Events:" = "Rsyslog was Stopped on " + host, "Date and Time" = MonthDateTime, "User" = UserName, "Source" = sourcetype
|table "Date and Time","Critical Logging Events:" , "User", "Source"

Please help.
Thank you in advance. 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2021 04:55 AM

Is this sufficient to get all the stop events?

index = sudosh_app_protected  host = * "service rsyslog stop"
0 Karma
Reply

GRC
Path Finder
‎10-25-2021 04:45 PM

Hi @ITWhisperer @PickleRick ,

I got the hints from a query builder. It is something like this 

| rex field=_raw "(?<date>\w{3} \d+ \d+:\d+:\d+) (?<var_name>.+) (?<lnx_command>\w+): (?<var_name2>\w+) (?<user>\w+): (?<sys_command>.*)"

| search sys_command="*rsyslog stop"

| table date user <the var_name thats correspond with your server name> 

Thank you for trying to help me out. I really appreciate it. 

Cheers

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 05:57 AM

I don't know about OP and the reason for such search but in general, it won't tell you who stopped the service.

For example, from two subsequent "service stop" commands without any "service start" in between, the second one doesn't necessarily do anything because the service should be already stopped.

But we don't know whether the service did indeed stop, so the original question is unanswerable from the data we have at hand. We only know what people requested. We don't know how the services reacted. Whether they managed to start or whether they failed to stop.

That's one caveat we need to take into account while analyzing such data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...