Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Log file validation based on serverhost and source

ganeshkumarmoha
Explorer
‎06-10-2024 05:20 AM

Hi Team,
For a business requirement, I need to validate log file generated for last an hour with combination of host and source in below order:

Host Source
server001c\:...\logpath1.txt
server002c\:...\logpath2.txt
server003c\:...\logpath3.txt
server004c\:...\logpath4.txt
server005c\:...\logpath5.txt

 

I knew, inputlookup keyword is single column based; however, I need it two columns to check the log file. Can you please suggest what is the best to accomplish my requirement?

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-10-2024 05:54 AM

Hi @ganeshkumarmoha 

I suppose that you need to check if you' received events from each host with that source, is it correct?

if this is your requirement and if the source column has a fixed part that you can use for checking (e.g. the file name without path), please tru something like this:

<your_search>
| rex field=source "\\(?<Source>logpath\d*.txt)$"
| rename host AS Host
| stats count BY host Source
| append [ | inputlookup your_lookup.csv | eval count=0 | fields Host Source count ]
| stats sum(count) AS total BY Host Source
| where total=0

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-10-2024 05:54 AM

Hi @ganeshkumarmoha 

I suppose that you need to check if you' received events from each host with that source, is it correct?

if this is your requirement and if the source column has a fixed part that you can use for checking (e.g. the file name without path), please tru something like this:

<your_search>
| rex field=source "\\(?<Source>logpath\d*.txt)$"
| rename host AS Host
| stats count BY host Source
| append [ | inputlookup your_lookup.csv | eval count=0 | fields Host Source count ]
| stats sum(count) AS total BY Host Source
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2024 04:41 AM

Hi @ganeshkumarmoha ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...