Splunk Search

file manipulation for custom logs


I have a custom log file format that i am importing via a windows forwarder. In it there are a number of fields related to configuration items and at the bottom is a summation of all the non-compliant items


There could be multiple files for the same hostname (havent changed it to ignore non-new files) I would like to have an output that shows the latest file by hostname and the value for the field totalFailed. There will be multiple files from different hostnames and i would like the most recent file from each host to show the line of total failed items.

hostA | file | totalFailed

As a bonus point, how would i colorize (red) any values of totalFailed if its non-zero? I would eventually like to extend this to a dashboard that shows a single value image of all non-compliant hosts (red>0) and all compliant hosts (green=0). I would imagine i need this to be a parameterized search to return a single value and the hostname to label it. But first things first, I tried using

 | stats max(file) by hostname

but that gets me a count of the files for the latest hostname.

| top limit=1 file by hostname

gets me the same thing i believe.

Any suggestions on how to do this?

Tags (2)
0 Karma


An update, I changed this to a monitor and now import then entire file and create my fields and do the magic that way. Problem solved

0 Karma