Splunk Search

Search to find the timestamp of each (Login, Logout, Expire) keyword from _raw and log file last updated time

sahil237888
Path Finder

Hi Guys,

Can anyone please help me in the below search.
I want the name of all logfiles with details of keywords from each sourcetype.
If there is a keyword present in the specific log file then the last time when that keyword was there in the log file.

Log_Name | Updatedago | Login | Logout | Expire
Server.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"
Server1.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"

The Login , Logout, Expire are the keywords available in _raw field.
The timestamp field specifies the logs are updated how many minutes/hours ago(last updated time of log file)

I am using below search but no results and not sure how to get last updated thing:

index=serverlogs source=server*.log
 | eval status=if(_raw LIKE "*Login*" ,Login, _raw LIKE "*LogOut*","Logout", _raw LIKE "*Expire*","Expire",0 )
0 Karma

woodcock
Esteemed Legend

Try this:

index=serverlogs source=server*.log
| eval status=case(
   match(_raw, "Login",  "Login",
   match(_raw, "LogOut", "Logout", 
   match(_raw, "Expire", "Expire",
   true(), "Other")
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sahil237888,
whay don't you tried to use tags?
you should create three different eventypes and associate to each of them a tag:

  • index=serverlogs source=server*.log login for tag=login
  • index=serverlogs source=server*.log logout for tag=logout
  • index=serverlogs source=server*.log logfail for tag=logfail

In this way, yoy have the keywords to display:

index=serverlogs source=server*.log
| table _time source tag

Using this method I created an entire apps to display login, logout and logfail of many different systems, creating many eventyper (three for each kind of system) associating the related tag.

Bye.
Giuseppe

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!