I have a user that is asking me to look at the file hashes of every file that some into splunk across today and yesterday. I can compare one just fine:
index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
This makes a table showing the 2 hashes and a message telling me if the hash had changed or not. Now is there a way to run this through foreach or something that can do that for the whole list of file names.
Something like:
index=my_index RuleName="Rule_name"
| stats values | foreach FieldName
| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
The original query just looked at one file, I want to loop over a whole list then compare to the previous day.
Why you need foreach? Your existing search should return expected result.
index=my_index RuleName="Monitor The File" FileName IN ("file.exe","file1.exe","file2.exe") earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "yesterdays_hash"
| append
[ search index=my_index RuleName="Monitor The File"
IN ("file.exe","file1.exe","file2.exe") earliest="06/12/2021:00:00:00"
latest="06/12/2021:24:00:00"
| rename FileHash as "todays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
Can you please your observations if it is not returning expected OP?
KV