Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to diff file hashes to display if some of the hashes of /etc/ files have changed?

xilu87
New Member
‎05-18-2016 09:35 AM

Hi,

I have created a script input deployed on several servers which creates a lot of hashes from /etc folder and sub folders. ~1300 files with fingerprint

With rex I have extracted the fields:

_raw=272913026300e7ae9b5e2d51f138e674  /etc/filename  valid fields: hash=272913026300e7ae9b5e2d51f138e674  file=/etc/filename  host=server1, server2, server3, serverX
_time=every 2 minutes

My search is scheduled every 3 minutes:

index="linux" sourcetype="config_hash" | rex field=_raw "(?<hash>.*)\s\s(?<file>.*)" | diff attribute=file position1=1 position2=2

But I get irrelevant result. The result's file hash is the same.
It is possible to display if some of the hash of /etc/ files has changed?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2016 12:08 PM

You need this app:

https://splunkbase.splunk.com/app/2776/

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...