- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Test if host sends the same logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Test if host sends the same logs
Hello,
I have several hosts sending logs to Splunk. These logs depends on the version of the software creating these logs.
I am trying to determine if a query is compatible with host X or Y by looking at the available logs for each host.
Here's a en example.
Host 1 would send:
- Start of initialisation
- Initialisation of device=motor1
- initialisation of device=sensor1
- error during initialisation
- End of initialisation
Host 2 would send:
- Start of initialisation
- Initialisation of device=motor1
- End of initialisation
Here, host2 runs an older version of the software that doesn't logs initialisation of sensor1 and errors.
I'm looking for a command that would output something like:
Site | motor1 | sensor1 | error
host1 | available | available | available
host2 | available | not_here | not_here
How could I check if my host publish this or that log line?
Thanks in advance!
Benoit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exploit the punct value like this:
| tstats values(punct) AS puncts dc(punct) AS punctCount WHERE (index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo) BY host
The hosts with the most punct values are the ones with the later version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @bntdumas
I think the best way to use it, use of eventtypes.
1. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "Initialisation of device=motor1" as motor1
2. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "initialisation of device=sensor1" as sensor1 like this
and then you can run search like : index=* (host=A or host=B) | chart count by host, eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting solution, in this case I would have to define an eventtype for each snippet of log that I'm interested into.
Unfortunately it seems a little heavy, I was searching for a more general solution. Do you think it would be possible?
It would be a bit like a searchmatch, except across all the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @bntdumas
How can I identify these logs? Is "Start of initialisation" a sourcetype something like that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It could be anything, but mostly keyword based on the text of the logs.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
