Splunk Search

Is it possible to do event based comparison on file SAVE?

rajgowd1
Communicator

Hi Experts,

Is it possible to do event based comparison on file SAVE?

Events compare with previous file and present file and provide differences.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

I cannot send you now because my pc is and will be offline until Tomorrow, but in the Splunk partner kit there is an example that solves your problem.
If you'll never find, I'll send it to you Tomorrow.
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

I cannot send you now because my pc is and will be offline until Tomorrow, but in the Splunk partner kit there is an example that solves your problem.
If you'll never find, I'll send it to you Tomorrow.
Bye.
Giuseppe

0 Karma

rajgowd1
Communicator

Hi Giuseppe,
when use the search index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,-
sometimes showing modified changes but sometimes not.do you have any idea why its behaving like this.

0 Karma

rajgowd1
Communicator

Hi Giuseppe,
I tried and new to splunk.i am not able to find in the splunk partner kit.please send me once you get a chance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rajgowd1,
Ask to your Splunk Channel Manager for Partner Kit: it's very useful to see some applications and examples, I cannot send you because it's very large.

Every way, App is very old but useful only to see the approach.

In inputs.conf you can see how to load changes and files.

[fschange:/your_files_to_monitor_with_full_path]
sourcetype = fschange
index = main
recurse = true
pollPeriod = 5
fullEvent = true
sendEventMaxSize = -1
hashMaxSize = 99999999
index = changemgmt
disabled = 0

[monitor://your_files_to_monitor_with_full_path]
followTail = 0
sourcetype = config_file
index = changemgmt
disabled = 0

You can show modification using panels with searches like these:

Top actions
index=changemgmt sourcetype=fschange | top action

Type of changes made over a period
index=changemgmt sourcetype=fschange | timechart count by action

Change Results
index=changemgmt sourcetype=fschange | table host, _time, action, path

Detailed Configuration Changes
index=changemgmt sourcetype=config_file  | diff diffheader=true | highlight +,-

Obviously you have to extract the fields to use in searches.

I hope to be useful for you.

Bye.
Giuseppe

0 Karma

rajgowd1
Communicator

Hi Giuseppe,
when use the search index=changemgmt sourcetype=config_file | diff diffheader=true | highlight +,-
sometimes showing modified changes but sometimes not.do you have any idea why its behaving like this.

0 Karma

rajgowd1
Communicator

HI Giuseppe,

Thank you so much. I tried the configuration which you provided and tried all search commands. Everything is working as expected.

Do I need to restart the Splunk instance if I make any changes in inputs.conf file?

When I try this command

index=changemgmt sourcetype=config_file  | diff diffheader=true | highlight +,-

it is showing the events like below

--- fschangemonitor
+++ /home/splunk/config/Chrystoki.conf
@@ -1 +1,8 @@
-Fri Oct 14 12:07:01 2016 action=update, path="//home/splunk/config/Chrystoki.conf", isdir=0, size=1627, gid=500, uid=500, modtime="Fri Oct 14 12:06:25 2016", mode="rw-rw-r--", hash=F6D1B2512F5F32A1357A1CE7B16888A54C26CDC6AA7C0A17EFE6FF3DC3130AFE, chgs="modtime hash "
+Luna = {
+  DefaultTimeOut = 200000;
+  PEDTimeout1 = 100000;
+  PEDTimeout2 = 100000;
+  PEDTimeout3 = 10000;
+  KeypairGenTimeOut = 2700000;
+  CloningCommandTimeOut = 300000;
+}

is it possible to show only the content with good representation?

0 Karma

gcusello
SplunkTrust
SplunkTrust

To use the new inputs.conf you have to restart Splunk.

The panel shows differences between files that you wanted to highlight.

You could also show the single files highlighting differences found with that search.
Something like this (I cannot test it now):

index=changemgmt source=config_file1 [index=changemgmt sourcetype=config_file | diff diffheader=tru]

Try it.
Bye.
Giuseppe

0 Karma

rajgowd1
Communicator

HI Giuseppe,

I just tried this search below, it says Unknown search command 'index'.

index=test_index source=/home/splunk/config/simple.conf [index="test_idex" sourcetype=conf | diff diffheader=true]

So then I tried this search:

index=test_index source=/home/splunk/config/simple.conf  [search index=test_index source=conf| diff diffheader=true]

but it is not showing any results.
[subsearch]: command="diff", pos1=1 is out of bounds

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...