Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a search that looks up values from one logfile and compares against another

aubine
Explorer
‎08-27-2021 11:11 AM

I have two logfiles, logfile1.log and logfile2.log. I have created their own field extractions for both of them. Here is an example line for both logs:

logfile1.log:

file1time, epoch, file1ID, name, flag, stat1, stat2, stat3

logfile2.log:

lastruntime, file2ID, epoch

What I need to do is compare logfiles each against the ID's, ensure that they're the same, and output the "name" field in the search that has logfile2.log as it's source.

There's probably a very easy way to do this, but I can't think of it. Any help would be greatly appreciated. Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 10:06 AM

I think the same answer still applies.  In this query, the two sources are combined based on the common field, then days_since is calculated, and the data displayed.

index=foo sourcetype=test host=* (source="/data/stuff/logfile2.log" OR source="/data/stuff/logfile2.log")
| eval ID = coalesce(file1ID, lastupdate_direc)
| stats values(lastupdate_time) as lastupdate_time, values(name) as name by host, ID
| eval new_time=strptime(lastupdate_time, "%F %H:%M")
| eval diff_new=now()-new_time
| eval days_since=((diff_new-14400)/60/60/24)
| table host ID lastupdate_time days_since name
| sort - days_since
| rename host as "Server" ID as "Directory Name" lastupdate_time as "Date/Time Last updated" days_since "Days since last update"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2021 12:00 PM

If I understand the request correctly, the solution is pretty straightforward.  Read events from both logs, create a common field with ID in it, then group events by ID.

index=foo (source=logfile1.log OR source=logfile2.log)
| eval ID = coalesce(file1ID, file2ID)
| stats values(*) as * by ID
| table lastruntime, file2ID, epoch, name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

aubine
Explorer
‎08-30-2021 08:03 AM

Hi Rich,

I don't think I properly explained myself so here I'll put the Splunk search that I currently have and you can comment from there:

logfile1.log:

file1time, epoch, file1ID (this is the unique field), name (this is the field I would like added), flag, stat1, stat2, stat3

logfile2.log:

lastupdate_time, lastupdate_direc (this is the unique field), epoch

 

index=foo sourcetype=test host=* source="/data/stuff/logfile2.log"
| eval new_time=strptime(lastupdate_time, "%F %H:%M")
| eval diff_new=now()-new_time
| eval days_since=((diff_new-14400)/60/60/24)
| table host lastupdate_direc lastupdate_time days_since
| dedup lastupdate_direc
| sort days_since
| reverse
| rename host as "Server" lastupdate_direc as "Directory Name" lastupdate_time as "Date/Time Last updated" days_since "Days since last update"

The directory is a number field and I have another log file logfile1.log that has the same number field that I want to associate and make it so that I can associate the "name" field (because it's in another software) with the last time the directory updated (and that logs only when there's update rather than constantly and I don't want users to be using an "All Time" search if I can help it). Currently the output looks something like:

ServerDirectory NameDate/Time Last UpdatedDays since last update
server112021-08-30 11:000
server122021-08-01 11:0029
server212021-08-29 00:001

 

What I would like to do is to add one field to that table from logfile1.log with the "name" field that has the same unique ID as the Directory Name (lastupdate_direc).

 

 

I hope that explained it better. Let me know if it makes sense. Thanks for your quick response! 😄

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2021 10:06 AM

I think the same answer still applies.  In this query, the two sources are combined based on the common field, then days_since is calculated, and the data displayed.

index=foo sourcetype=test host=* (source="/data/stuff/logfile2.log" OR source="/data/stuff/logfile2.log")
| eval ID = coalesce(file1ID, lastupdate_direc)
| stats values(lastupdate_time) as lastupdate_time, values(name) as name by host, ID
| eval new_time=strptime(lastupdate_time, "%F %H:%M")
| eval diff_new=now()-new_time
| eval days_since=((diff_new-14400)/60/60/24)
| table host ID lastupdate_time days_since name
| sort - days_since
| rename host as "Server" ID as "Directory Name" lastupdate_time as "Date/Time Last updated" days_since "Days since last update"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

aubine
Explorer
‎09-01-2021 06:13 AM

Thanks for all your help @richgalloway . Unfortunately, it made a new problem and I will post a new question about that. Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top