Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to diff file hashes to display if some of the hashes of /etc/ files have changed?

xilu87
New Member
‎05-18-2016 09:35 AM

Hi,

I have created a script input deployed on several servers which creates a lot of hashes from /etc folder and sub folders. ~1300 files with fingerprint

With rex I have extracted the fields:

_raw=272913026300e7ae9b5e2d51f138e674  /etc/filename  valid fields: hash=272913026300e7ae9b5e2d51f138e674  file=/etc/filename  host=server1, server2, server3, serverX
_time=every 2 minutes

My search is scheduled every 3 minutes:

index="linux" sourcetype="config_hash" | rex field=_raw "(?<hash>.*)\s\s(?<file>.*)" | diff attribute=file position1=1 position2=2

But I get irrelevant result. The result's file hash is the same.
It is possible to display if some of the hash of /etc/ files has changed?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2016 12:08 PM

You need this app:

https://splunkbase.splunk.com/app/2776/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...