Splunk Search

Search to find the timestamp of each (Login, Logout, Expire) keyword from _raw and log file last updated time

Path Finder

Hi Guys,

Can anyone please help me in the below search.
I want the name of all logfiles with details of keywords from each sourcetype.
If there is a keyword present in the specific log file then the last time when that keyword was there in the log file.

Log_Name | Updatedago | Login | Logout | Expire
Server.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"
Server1.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"

The Login , Logout, Expire are the keywords available in _raw field.
The timestamp field specifies the logs are updated how many minutes/hours ago(last updated time of log file)

I am using below search but no results and not sure how to get last updated thing:

index=serverlogs source=server*.log
 | eval status=if(_raw LIKE "*Login*" ,Login, _raw LIKE "*LogOut*","Logout", _raw LIKE "*Expire*","Expire",0 )
0 Karma

Esteemed Legend

Try this:

index=serverlogs source=server*.log
| eval status=case(
   match(_raw, "Login",  "Login",
   match(_raw, "LogOut", "Logout", 
   match(_raw, "Expire", "Expire",
   true(), "Other")
0 Karma

Legend

Hi sahil237888,
whay don't you tried to use tags?
you should create three different eventypes and associate to each of them a tag:

  • index=serverlogs source=server*.log login for tag=login
  • index=serverlogs source=server*.log logout for tag=logout
  • index=serverlogs source=server*.log logfail for tag=logfail

In this way, yoy have the keywords to display:

index=serverlogs source=server*.log
| table _time source tag

Using this method I created an entire apps to display login, logout and logfail of many different systems, creating many eventyper (three for each kind of system) associating the related tag.

Bye.
Giuseppe