Splunk Search

find NOCLOSESESSION in logs daily

indeed_2000
Motivator

Hi
I have two field on my logfile <servername> <CLOSESESSION> need to know when CLOSESESSION is 0 each day by servername.
everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong.

here is the spl:
index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"

| table _time servername CLOSESESSION

 

Expected output:

Servername     cause

Server10           NOCLOSESESSION

Server15            NOCLOSESESSION

 

any idea?

Thanks,

Labels (4)
0 Karma
1 Solution

indeed_2000
Motivator

after several try find solution

| metadata type=hosts index=my_index
| eval count=0
| table host count
| append
[ search index=my_index CLOSESESSION
| stats count by host ]
| stats sum(count) as number by host | where number=0

View solution in original post

0 Karma

indeed_2000
Motivator

after several try find solution

| metadata type=hosts index=my_index
| eval count=0
| table host count
| append
[ search index=my_index CLOSESESSION
| stats count by host ]
| stats sum(count) as number by host | where number=0

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would basically need a lookup table file with all your server names (say lookup table file name will be  servers.csv with column servername) . Once you've this setup, you can run something like this

index="my_index" | rex field=source "(?<servername>\w+)." | rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)" | stats dc(CLOSESESSION) as CLOSESESSIONs by servername | append [| inputlookup servers.csv | table servername | eval CLOSESESSIONs=0] | stats max(CLOSESESSIONs) as CLOSESESSIONs by servername | where CLOSESESSIONs=0 

 

 

0 Karma

indeed_2000
Motivator

is it possible without csv file?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Would something like this work for you?

index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"
0 Karma

indeed_2000
Motivator

not work, here is the log:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

 

Expected output:

Servername     cause

Server2               NOCLOSESESSION

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If those are your logs, the issue may be with the rex - try something like this

| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)"
0 Karma

indeed_2000
Motivator

still have issue, i think need two search here, first extract all server names from file name that exist in path from metadata for faster result, then in second query check which one has not CLOSESESSION

 

somthing like this:

1- list of all log files exist (per server)
| metadata type=sources index=my_index | table source

2-filter just lines have CLOSESESSION
index="my_index" | search CLOSESESSION
| rex extracted server names of field "source" from STEP 1
| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)" |
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"

 

here is the logs:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

 

Expected output step 1:

servernames

server 1

server 2

server 3

server 4

 

Expected output step 2:

Servername     cause

Server2               NOCLOSESESSION

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| stats dc(CLOSESESSION) as CLOSESESSIONs by servername
| where CLOSESESSIONs=0
0 Karma

indeed_2000
Motivator

not work, here is the log:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

 

Expected output:

Servername     cause

Server2               NOCLOSESESSION

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...