Splunk Search

Test if host sends the same logs



I have several hosts sending logs to Splunk. These logs depends on the version of the software creating these logs.
I am trying to determine if a query is compatible with host X or Y by looking at the available logs for each host.

Here's a en example.

Host 1 would send:
- Start of initialisation
- Initialisation of device=motor1
- initialisation of device=sensor1
- error during initialisation
- End of initialisation

Host 2 would send:
- Start of initialisation
- Initialisation of device=motor1
- End of initialisation

Here, host2 runs an older version of the software that doesn't logs initialisation of sensor1 and errors.

I'm looking for a command that would output something like:
Site | motor1 | sensor1 | error
host1 | available | available | available
host2 | available | not_here | not_here

How could I check if my host publish this or that log line?

Thanks in advance!

Tags (2)
0 Karma

Esteemed Legend

Exploit the punct value like this:

| tstats values(punct) AS puncts dc(punct) AS punctCount WHERE (index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo) BY host

The hosts with the most punct values are the ones with the later version.

0 Karma


Hello @bntdumas
I think the best way to use it, use of eventtypes.
1. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "Initialisation of device=motor1" as motor1
2. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "initialisation of device=sensor1" as sensor1 like this

and then you can run search like : index=* (host=A or host=B) | chart count by host, eventtype

0 Karma


Interesting solution, in this case I would have to define an eventtype for each snippet of log that I'm interested into.
Unfortunately it seems a little heavy, I was searching for a more general solution. Do you think it would be possible?

It would be a bit like a searchmatch, except across all the events.

0 Karma


Hi, @bntdumas

How can I identify these logs? Is "Start of initialisation" a sourcetype something like that?

0 Karma


It could be anything, but mostly keyword based on the text of the logs.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...