Splunk Search

Test if host sends the same logs



I have several hosts sending logs to Splunk. These logs depends on the version of the software creating these logs.
I am trying to determine if a query is compatible with host X or Y by looking at the available logs for each host.

Here's a en example.

Host 1 would send:
- Start of initialisation
- Initialisation of device=motor1
- initialisation of device=sensor1
- error during initialisation
- End of initialisation

Host 2 would send:
- Start of initialisation
- Initialisation of device=motor1
- End of initialisation

Here, host2 runs an older version of the software that doesn't logs initialisation of sensor1 and errors.

I'm looking for a command that would output something like:
Site | motor1 | sensor1 | error
host1 | available | available | available
host2 | available | not_here | not_here

How could I check if my host publish this or that log line?

Thanks in advance!

Tags (2)
0 Karma

Esteemed Legend

Exploit the punct value like this:

| tstats values(punct) AS puncts dc(punct) AS punctCount WHERE (index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo) BY host

The hosts with the most punct values are the ones with the later version.

0 Karma


Hello @bntdumas
I think the best way to use it, use of eventtypes.
1. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "Initialisation of device=motor1" as motor1
2. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "initialisation of device=sensor1" as sensor1 like this

and then you can run search like : index=* (host=A or host=B) | chart count by host, eventtype

0 Karma


Interesting solution, in this case I would have to define an eventtype for each snippet of log that I'm interested into.
Unfortunately it seems a little heavy, I was searching for a more general solution. Do you think it would be possible?

It would be a bit like a searchmatch, except across all the events.

0 Karma


Hi, @bntdumas

How can I identify these logs? Is "Start of initialisation" a sourcetype something like that?

0 Karma


It could be anything, but mostly keyword based on the text of the logs.

0 Karma
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...