Splunk Search

Run a for loop in splunk to look at a dynamic list

mybestfriendbob
Explorer

I have a user that is asking me to look at the file hashes of every file that some into splunk across today and yesterday.  I can compare one just fine:

index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

This makes a table showing the 2 hashes and a message telling me if the hash had changed or not.  Now is there a way to run this through foreach or something that can do that for the whole list of file names.

Something like:

index=my_index RuleName="Rule_name"

| stats values | foreach FieldName 

| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

Labels (2)
0 Karma

mybestfriendbob
Explorer

The original query just looked at one file, I want to loop over a whole list then compare to the previous day.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mybestfriendbob 

Why you need foreach? Your existing search should return expected result.

index=my_index RuleName="Monitor The File" FileName IN ("file.exe","file1.exe","file2.exe") earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" 
| rename FileHash as "yesterdays_hash" 
| append 
    [ search index=my_index RuleName="Monitor The File" 
         IN ("file.exe","file1.exe","file2.exe") earliest="06/12/2021:00:00:00" 
        latest="06/12/2021:24:00:00" 
    | rename FileHash as "todays_hash"] 
| stats values(*) as * by FileName 
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") 
| table FileName description todays_hash yesterdays_hash

 

Can you please your observations if it is not returning expected OP?

KV

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...