Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching For New Packages in Unix

essklau
Path Finder
‎05-20-2014 11:50 AM

Hi.

I am trying to find a way to search Unix for new packages. The approach only needs to compare today's list of packages to yesterday's list and display the package/version/"time first seen" of packages that appear today, but not yesterday.

My search starts index=os sourcetype=package, and the values of package are tabled, but can be split with multikv to shows fields for NAME, VERSION, and other fields.

It seems like the easiest approach would be to create a by-host list of NAME values for the last package entry of yesterday, a by-host list of NAME values now, take the values from the now list which don't appear in the past list, and look for those NAME values' first occurence. Finally, return the NAME/Version/first occurence.

I'm stuck though at the beginning, because I'm not sure how to set aside/collect yesterday's values for comparison with whatever i come up with for today's list.

Any takers?

Thank you.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-22-2014 05:54 AM

Some things to thing about.

[1] For RPM based systems, you can run your own scripted input that uses RPM's --qf option to provide a query format that includes the package name and the install time of the package. This could be useful data to you.

[2] This is a job that might require the maintenance of state. You were already thinking in this direction when you were thinking about trying to "set aside/collect yesterday's values". A good way of doing this in Splunk is with a lookup file. @araitz covers this in good detail in a blog post http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

These two things might be usable in combination or independently. I think I would probably start with the RPM queryformat and see if I could use that alone to see packages installed 'recently' by install timestamp. This gets more complicated when dealing with updates to existing packages, because you'd need some kind of false-positive discrimination...

Reply

lguinn2
Legend
‎05-20-2014 07:06 PM

Can we see a sample of the actual events for sourcetype=package?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...