Splunk Search

How to display latest events from a log file in a table format?

rajgowd1
Communicator

Hi,
we have 2 configuration files like spg.conf and spg.conf.1162016 and we written perl program to find the difference between these 2 files and perl program is running under cron.

we are storing the difference in one file and indexing it. i would like to display recent changes to configuration files and show them in table format.

below is the sample data

this is difference stored in a file sometime ago

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   ServerHtl01 = 0;

here is the difference stored in a same file recently

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

i would like to show only recent data in table format. any help is appreciated

0 Karma
1 Solution

sundareshr
Legend

It appears, from the samples you have provided, that events have the same timestamp, If that is a fair assumption try this

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | eventstats latest(_time) as current | where current=_time | table ....

View solution in original post

0 Karma

sundareshr
Legend

It appears, from the samples you have provided, that events have the same timestamp, If that is a fair assumption try this

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | eventstats latest(_time) as current | where current=_time | table ....

View solution in original post

0 Karma

rajgowd1
Communicator

Hi,
with the search you provided,i am able to get the latest events.

when i do difference manually i see like below

Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,51d50
Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,< #HAOnly = 1;

but

when i run the search in splunk with in table,i see it in reverse order like below

Thu Nov 17 08:30:44 2016 vm-b1fc-d5b5 < #HAOnly = 1;
51d50

do you have any thoughts on this

0 Karma

rajgowd1
Communicator

Thanks Sundaresh i used reverse function,now events are displaying properly

0 Karma

pyro_wood
SplunkTrust
SplunkTrust

Hi rajgowd,

first I would like to beg you to format your posts better in the future. Splunkanswers provides different formatting options.
Note: There aren't any differences in the timestamps between the "old" and "new" diffences.


Out of this statement...

"we are storing the difference in one file and indexing it.i would like to display recent changes to configuration files and show them in table format."

... I would suggest doing something like this:

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | top limit=50 | table _time source _raw

Instead of "_raw" you could also list your fields.
OR

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | transaction source | table _time source _raw

Hope this helps!

Regards,
pyro_wood

0 Karma

rajgowd1
Communicator

Hi,
thank you.i can use top command to display but i am not sure whether latest events are like 10 lines or 5 lines.
here is the sample events

this is difference stored in a file sometime ago

Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp



Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, ServerHtl01 = 0;

here is the difference stored in a same file recently

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
0 Karma

pyro_wood
SplunkTrust
SplunkTrust

Hi rajowd,

try using the following search:

index=* source=/logs/conf/* sourcetype=systemdefault:hdmapp | transaction span=30s | table _time _raw
0 Karma