Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with advanced search for matching entry?

RobertRi
Communicator
‎02-02-2023 10:47 PM

Hello Community!

I'm searching for a solution to highlight the "HostC", which has an AppC failure and no further log entry, that AppC is started again.
How can I do this, regardless on which host this happens?

I saw a comment, to create events for "app failure" and "app started" and then make a transaction,
but is there an other way too?

SampleData:

1.1.1970 08:00 HostA -
1.1.1970 08:00 HostB AppB=failure
1.1.1970 08:00 HostC AppC=failure
1.1.1970 09:00 HostA AppA=started
1.1.1970 09:00 HostB AppB=started
1.1.1970 09:00 HostC -

Thanks for your help
Rob

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-03-2023 01:13 AM

Several possible approaches.  But the simplest seems to be to just look for latest app message.  You didn't illustrate what you mean by "highlight".  So, I have to speculate that you just need the name of host and application which had this kind of orphan.  But the biggest problem is that you didn't say whether HostA, B, C are values of a field (like host?), and whether AppA, B, C are values of a field (like application?), and if keywords like failure and started are values of a field (like status?).  Assuming none of these fields (except _time) is available, you will have to extract them first.

| rex field=data "^(?<timestamp>\S+\s+\S+)\s+(?<host>\S+)\s+(?<info>\S+)"
| rex field=info "(?<app>[^=]+)=(?<status>.+)"
| eval _time = strptime(timestamp, "%d.%m.%Y %H:%M")
``` extraction above ```
| stats latest(status) as last_status by host
| where last_status == "failure"

Is this what you need?

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-03-2023 01:13 AM

Several possible approaches.  But the simplest seems to be to just look for latest app message.  You didn't illustrate what you mean by "highlight".  So, I have to speculate that you just need the name of host and application which had this kind of orphan.  But the biggest problem is that you didn't say whether HostA, B, C are values of a field (like host?), and whether AppA, B, C are values of a field (like application?), and if keywords like failure and started are values of a field (like status?).  Assuming none of these fields (except _time) is available, you will have to extract them first.

| rex field=data "^(?<timestamp>\S+\s+\S+)\s+(?<host>\S+)\s+(?<info>\S+)"
| rex field=info "(?<app>[^=]+)=(?<status>.+)"
| eval _time = strptime(timestamp, "%d.%m.%Y %H:%M")
``` extraction above ```
| stats latest(status) as last_status by host
| where last_status == "failure"

Is this what you need?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

RobertRi
Communicator
‎02-03-2023 02:44 AM

Thank you! 

This was the solution! 👍

| stats latest

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...