Hi,
we have 2 configuration files like spg.conf and spg.conf.1162016 and we written perl program to find the difference between these 2 files and perl program is running under cron.
we are storing the difference in one file and indexing it. i would like to display recent changes to configuration files and show them in table format.
below is the sample data
this is difference stored in a file sometime ago
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, ServerHtl01 = 0;
here is the difference stored in a same file recently
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3, VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
i would like to show only recent data in table format. any help is appreciated
It appears, from the samples you have provided, that events have the same timestamp, If that is a fair assumption try this
index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | eventstats latest(_time) as current | where current=_time | table ....
It appears, from the samples you have provided, that events have the same timestamp, If that is a fair assumption try this
index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | eventstats latest(_time) as current | where current=_time | table ....
Hi,
with the search you provided,i am able to get the latest events.
when i do difference manually i see like below
Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,51d50
Thu Nov 17 08:30:44 2016,vm-b1fc-d5b5,< #HAOnly = 1;
but
when i run the search in splunk with in table,i see it in reverse order like below
Thu Nov 17 08:30:44 2016 vm-b1fc-d5b5 < #HAOnly = 1;
51d50
do you have any thoughts on this
Thanks Sundaresh i used reverse function,now events are displaying properly
Hi rajgowd,
first I would like to beg you to format your posts better in the future. Splunkanswers provides different formatting options.
Note: There aren't any differences in the timestamps between the "old" and "new" diffences.
Out of this statement...
"we are storing the difference in one file and indexing it.i would like to display recent changes to configuration files and show them in table format."
... I would suggest doing something like this:
index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | top limit=50 | table _time source _raw
Instead of "_raw" you could also list your fields.
OR
index=yourindex source = /logs/conf/* sourcetype = systemdefault:hdmapp | transaction source | table _time source _raw
Hope this helps!
Regards,
pyro_wood
Hi,
thank you.i can use top command to display but i am not sure whether latest events are like 10 lines or 5 lines.
here is the sample events
Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, VirtualToken00Label = CABOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 16:23:45 2016,dm-a1fc-d5d3, ServerHtl01 = 0;
Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Tue Nov 16 18:20:45 2016,dm-a1fc-d5d3, VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp
Hi rajowd,
try using the following search:
index=* source=/logs/conf/* sourcetype=systemdefault:hdmapp | transaction span=30s | table _time _raw