All,
I have a log file which produces a MD5sum every hour or so. I'd like to compare the most recent event, with the previous event. if the md5sum changed, then alert.
e.g.
5:00pm md5sum=Aaaaaaaaaaaaaaaaaaaaaaaaaa file=/etc/ssh/ssh_config
5:00pm md5sum=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx file=/someotherfile
6:00pm md5sum=Bbbbbbbbbbbbbbbbbbbbbbb file=/etc/ssh/ssh_config
Any easy trick to this?
Like this:
| makeresults
| eval raw="6:00pm md5sum=Bbbbbbbbbbbbbbbbbbbbbbb file=/etc/ssh/ssh_config:::5:00pm md5sum=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx file=/someotherfile:::5:00pm md5sum=Aaaaaaaaaaaaaaaaaaaaaaaaaa file=/etc/ssh/ssh_config"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "md5sum=(?<md5sum>\S+)\s+file=(?<file>\S+)"
| reverse
| streamstats current=f last(md5sum) AS prev_md5sum BY file
| where md5sum!=prev_md5sum
This can be done by using stream stats command
Check this query .
|makeresults |eval md5 ="22,33,33"|eval md5 = split(md5,",") |mvexpand md5| streamstats current=f global=f window=1 last(md5) as last_md5 |eval match = if(md5 == last_md5,"match","nomatch") |where match = "nomatch"
Thanks