Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Test if host sends the same logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Test if host sends the same logs
Hello,
I have several hosts sending logs to Splunk. These logs depends on the version of the software creating these logs.
I am trying to determine if a query is compatible with host X or Y by looking at the available logs for each host.
Here's a en example.
Host 1 would send:
- Start of initialisation
- Initialisation of device=motor1
- initialisation of device=sensor1
- error during initialisation
- End of initialisation
Host 2 would send:
- Start of initialisation
- Initialisation of device=motor1
- End of initialisation
Here, host2 runs an older version of the software that doesn't logs initialisation of sensor1 and errors.
I'm looking for a command that would output something like:
Site | motor1 | sensor1 | error
host1 | available | available | available
host2 | available | not_here | not_here
How could I check if my host publish this or that log line?
Thanks in advance!
Benoit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exploit the punct value like this:
| tstats values(punct) AS puncts dc(punct) AS punctCount WHERE (index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo) BY host
The hosts with the most punct values are the ones with the later version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @bntdumas
I think the best way to use it, use of eventtypes.
1. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "Initialisation of device=motor1" as motor1
2. Saved the search with these events as different eventtype like index=* (host=A OR host=B) "initialisation of device=sensor1" as sensor1 like this
and then you can run search like : index=* (host=A or host=B) | chart count by host, eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting solution, in this case I would have to define an eventtype for each snippet of log that I'm interested into.
Unfortunately it seems a little heavy, I was searching for a more general solution. Do you think it would be possible?
It would be a bit like a searchmatch, except across all the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @bntdumas
How can I identify these logs? Is "Start of initialisation" a sourcetype something like that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It could be anything, but mostly keyword based on the text of the logs.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
