Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Run a for loop in splunk to look at a dynamic list

mybestfriendbob
Explorer
‎07-15-2021 07:22 AM

I have a user that is asking me to look at the file hashes of every file that some into splunk across today and yesterday.  I can compare one just fine:

index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

This makes a table showing the 2 hashes and a message telling me if the hash had changed or not.  Now is there a way to run this through foreach or something that can do that for the whole list of file names.

Something like:

index=my_index RuleName="Rule_name"

| stats values | foreach FieldName 

| append [ search index=my_index RuleName="Rule_name" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash

Labels (2)
Labels
0 Karma
Reply

mybestfriendbob
Explorer
‎07-15-2021 12:00 PM

The original query just looked at one file, I want to loop over a whole list then compare to the previous day.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:06 AM

@mybestfriendbob 

Why you need foreach? Your existing search should return expected result.

index=my_index RuleName="Monitor The File" FileName IN ("file.exe","file1.exe","file2.exe") earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" 
| rename FileHash as "yesterdays_hash" 
| append 
    [ search index=my_index RuleName="Monitor The File" 
         IN ("file.exe","file1.exe","file2.exe") earliest="06/12/2021:00:00:00" 
        latest="06/12/2021:24:00:00" 
    | rename FileHash as "todays_hash"] 
| stats values(*) as * by FileName 
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") 
| table FileName description todays_hash yesterdays_hash

 

Can you please your observations if it is not returning expected OP?

KV

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...