Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Run a for loop in splunk to look at a dynamic list

mybestfriendbob
Explorer
‎07-15-2021 07:22 AM

I have a user that is asking me to look at the file hashes of every file that some into splunk across today and yesterday.  I can compare one just fine:

index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

This makes a table showing the 2 hashes and a message telling me if the hash had changed or not.  Now is there a way to run this through foreach or something that can do that for the whole list of file names.

Something like:

index=my_index RuleName="Rule_name"

| stats values | foreach FieldName 

| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

Labels (2)
Labels
0 Karma
Reply

mybestfriendbob
Explorer
‎07-15-2021 12:00 PM

The original query just looked at one file, I want to loop over a whole list then compare to the previous day.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:06 AM

@mybestfriendbob 

Why you need foreach? Your existing search should return expected result.

index=my_index RuleName="Monitor The File" FileName IN ("file.exe","file1.exe","file2.exe") earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" 
| rename FileHash as "yesterdays_hash" 
| append 
    [ search index=my_index RuleName="Monitor The File" 
         IN ("file.exe","file1.exe","file2.exe") earliest="06/12/2021:00:00:00" 
        latest="06/12/2021:24:00:00" 
    | rename FileHash as "todays_hash"] 
| stats values(*) as * by FileName 
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") 
| table FileName description todays_hash yesterdays_hash

 

Can you please your observations if it is not returning expected OP?

KV

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top