Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching For New Packages in Unix

essklau
Path Finder
‎05-20-2014 11:50 AM

Hi.

I am trying to find a way to search Unix for new packages. The approach only needs to compare today's list of packages to yesterday's list and display the package/version/"time first seen" of packages that appear today, but not yesterday.

My search starts index=os sourcetype=package, and the values of package are tabled, but can be split with multikv to shows fields for NAME, VERSION, and other fields.

It seems like the easiest approach would be to create a by-host list of NAME values for the last package entry of yesterday, a by-host list of NAME values now, take the values from the now list which don't appear in the past list, and look for those NAME values' first occurence. Finally, return the NAME/Version/first occurence.

I'm stuck though at the beginning, because I'm not sure how to set aside/collect yesterday's values for comparison with whatever i come up with for today's list.

Any takers?

Thank you.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-22-2014 05:54 AM

Some things to thing about.

[1] For RPM based systems, you can run your own scripted input that uses RPM's --qf option to provide a query format that includes the package name and the install time of the package. This could be useful data to you.

[2] This is a job that might require the maintenance of state. You were already thinking in this direction when you were thinking about trying to "set aside/collect yesterday's values". A good way of doing this in Splunk is with a lookup file. @araitz covers this in good detail in a blog post http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

These two things might be usable in combination or independently. I think I would probably start with the RPM queryformat and see if I could use that alone to see packages installed 'recently' by install timestamp. This gets more complicated when dealing with updates to existing packages, because you'd need some kind of false-positive discrimination...

Reply

lguinn2
Legend
‎05-20-2014 07:06 PM

Can we see a sample of the actual events for sourcetype=package?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...