Splunk Search
Highlighted

How to display latest events from a log file in a table format?

Communicator

Hi,
we have 2 configuration files like spg.conf and spg.conf.1162016 and we written perl program to find the difference between these 2 files and perl program is running under cron.

we are storing the difference in one file and indexing it. i would like to display recent changes to configuration files and show them in table format.

below is the sample data

this is difference stored in a file sometime ago

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   ServerHtl01 = 0;

here is the difference stored in a same file recently

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

i would like to show only recent data in table format. any help is appreciated

0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

SplunkTrust
SplunkTrust

Hi rajgowd,

first I would like to beg you to format your posts better in the future. Splunkanswers provides different formatting options.
Note: There aren't any differences in the timestamps between the "old" and "new" diffences.


Out of this statement...

"we are storing the difference in one file and indexing it.i would like to display recent changes to configuration files and show them in table format."

... I would suggest doing something like this:

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | top limit=50 | table _time source _raw

Instead of "_raw" you could also list your fields.
OR

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | transaction source | table _time source _raw

Hope this helps!

Regards,
pyro_wood

0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

Communicator

Hi,
thank you.i can use top command to display but i am not sure whether latest events are like 10 lines or 5 lines.
here is the sample events

this is difference stored in a file sometime ago

Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp



Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, ServerHtl01 = 0;

here is the difference stored in a same file recently

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp


Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

SplunkTrust
SplunkTrust

Hi rajowd,

try using the following search:

index=* source=/logs/conf/* sourcetype=systemdefault:hdmapp | transaction span=30s | table _time _raw
0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

Legend

It appears, from the samples you have provided, that events have the same timestamp, If that is a fair assumption try this

index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | eventstats latest(_time) as current | where current=_time | table ....

View solution in original post

0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

Communicator

Hi,
with the search you provided,i am able to get the latest events.

when i do difference manually i see like below

Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,51d50
Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,< #HAOnly = 1;

but

when i run the search in splunk with in table,i see it in reverse order like below

Thu Nov 17 08:30:44 2016 vm-b1fc-d5b5 < #HAOnly = 1;
51d50

do you have any thoughts on this

0 Karma
Highlighted

Re: How to display latest events from a log file in a table format?

Communicator

Thanks Sundaresh i used reverse function,now events are displaying properly

0 Karma