Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Conditional Splunk Query (if else)

GRC
Path Finder
‎10-25-2021 03:39 AM

Hi Champions,

In this below mentioned dataset. I want to create a conditional splunk query. 

Ex: I want to check first whether rsyslog service is stopped, if it stopped then who stopped it, in which server, then display the results in a table. 

Can you please help ?

Oct 25 16:30:06 keybox sudosh: KHYJS6PxEI64zG Henry: service rsyslog start
Oct 25 16:30:02 keybox sudosh: KHYJS6PxEI64zG Joseph: #011service rsyslog stop
Oct 25 15:15:30 keybox sudosh: ssNjFZca22OvaB Henry: service rsyslog stop
Oct 25 15:08:26 keybox sudosh: ssNjFZla22OvaB Henry: #011service rsyslog start
Oct 25 15:07:46 keybox sudosh: ssNjFZla22OvaB Joseph: service rsyslog status
Oct 25 15:06:21 keybox sudosh: ssNjF0la22OvaB Asher: service rsyslog statutss
Oct 25 14:49:57 eqc-03-tpp sudosh: gkrMz1dLey0CS1 John: cat /etc/red#011#177#177#177#177#177#177#177#177#177#177#177#177#177#177#177r#177#177#177#177#177#177#177#177#177#177#177#177#177sys#177#177ervice rsyslog status
Oct 25 14:48:26 keybox sudosh: VSjTDhPH3iM5MY Ahser: service rsyslog status

Fields are:

I tried with the below mentioned query, but unable to create a conditional query. 

index = sudosh_app_protected  host = *

|eval "Critical Logging Events:" = "Rsyslog was Stopped on " + host, "Date and Time" = MonthDateTime, "User" = UserName, "Source" = sourcetype
|table "Date and Time","Critical Logging Events:" , "User", "Source"

Please help.
Thank you in advance. 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2021 04:55 AM

Is this sufficient to get all the stop events?

index = sudosh_app_protected  host = * "service rsyslog stop"
0 Karma
Reply

GRC
Path Finder
‎10-25-2021 04:45 PM

Hi @ITWhisperer @PickleRick ,

I got the hints from a query builder. It is something like this 

| rex field=_raw "(?<date>\w{3} \d+ \d+:\d+:\d+) (?<var_name>.+) (?<lnx_command>\w+): (?<var_name2>\w+) (?<user>\w+): (?<sys_command>.*)"

| search sys_command="*rsyslog stop"

| table date user <the var_name thats correspond with your server name> 

Thank you for trying to help me out. I really appreciate it. 

Cheers

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 05:57 AM

I don't know about OP and the reason for such search but in general, it won't tell you who stopped the service.

For example, from two subsequent "service stop" commands without any "service start" in between, the second one doesn't necessarily do anything because the service should be already stopped.

But we don't know whether the service did indeed stop, so the original question is unanswerable from the data we have at hand. We only know what people requested. We don't know how the services reacted. Whether they managed to start or whether they failed to stop.

That's one caveat we need to take into account while analyzing such data.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...