Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare value of 2 logfiles for notification?

simon9
Explorer
‎02-23-2022 07:13 AM

Hi all,

I'm a beginner working with splunk. I have 2 Logfiles with the same Name, but from 2 different Hosts. I would like to compare both file for an expression (e.g. "server disconected") and only get the result, when the same expression is in both file in the sime time-period (last 10 min.)  so that i could use the select for a notification.

I hope you understand what i mean🙂

Thanks, Simon

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 07:57 AM

Hi @simon9,

sorry, I understood exactly the opposite!

with my search you count the number of different hosts, when the count is two, means that's present in both hosts.

please, try this:

index=your_index source="yoursource" "server disconnected"
| stats dc(host) AS dc_host values(host) AS host
| where dc_host=2

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

simon9
Explorer
‎02-23-2022 07:48 AM

Ciao @gcusello 

thanks for your fast response! I tried it, but i get the data also if the entrie is just in one logfile .  I need a result only, if the expression "server disconnect" is in both logfile at the same time.

e.g:

Logfile from "host 1" has 10 entrys "server disconnected" and logfile from "host 2" has 2 entrys "server disconnected" in the same timeperiod -> result should be 12.

Logfile from "host 1" has 10 entrys "server disconnected" and Logfile from "host 2" has 0 entrys "server disconnected" in the same timeperiod  -> result would be 0.

Thanks, Simon

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 07:57 AM

Hi @simon9,

sorry, I understood exactly the opposite!

with my search you count the number of different hosts, when the count is two, means that's present in both hosts.

please, try this:

index=your_index source="yoursource" "server disconnected"
| stats dc(host) AS dc_host values(host) AS host
| where dc_host=2

Ciao.

Giuseppe

Reply
Solved! Jump to solution

simon9
Explorer
‎02-23-2022 08:05 AM

@gcusello you don't need to apologize, my description was not the best !

I tried the new statement, but unfortunately i still get the result, althoug just 1 logfile (Host) has entrys.

simon9_0-1645632278780.png

 

Thank you for your Help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 08:09 AM

Hi @simon9,

you don't have results: the statistics tab is empty, you have two events from the same host, 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

simon9
Explorer
‎02-23-2022 08:16 AM

@gcusello OK, i understand. Grazie Mille for your help

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 08:19 AM

Hi @simon9,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 07:18 AM

Hi @simon9,

try something like this:

index=your_index source="yoursource" "server disconnected"
| stats dc(host) AS dc_host values(host) AS host
| where dc_host=1
| table host

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...