How can I compare the most recent field extraction...

daniel333 · ‎04-20-2018

All,

I have a log file which produces a MD5sum every hour or so. I'd like to compare the most recent event, with the previous event. if the md5sum changed, then alert.

e.g.
5:00pm md5sum=Aaaaaaaaaaaaaaaaaaaaaaaaaa file=/etc/ssh/ssh_config
5:00pm md5sum=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx file=/someotherfile
6:00pm md5sum=Bbbbbbbbbbbbbbbbbbbbbbb file=/etc/ssh/ssh_config

Any easy trick to this?

woodcock · ‎04-22-2018

Like this:

| makeresults 
| eval raw="6:00pm md5sum=Bbbbbbbbbbbbbbbbbbbbbbb file=/etc/ssh/ssh_config:::5:00pm md5sum=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx file=/someotherfile:::5:00pm md5sum=Aaaaaaaaaaaaaaaaaaaaaaaaaa file=/etc/ssh/ssh_config"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "md5sum=(?<md5sum>\S+)\s+file=(?<file>\S+)"
| reverse
| streamstats current=f last(md5sum) AS prev_md5sum BY file
| where md5sum!=prev_md5sum

ssadanala1 · ‎04-20-2018

This can be done by using stream stats command
Check this query .

Thanks

How can I compare the most recent field extraction in a log to the previous one?

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas