Search to find the timestamp of each (Login, Logou...

sahil237888 · ‎09-27-2019

Hi Guys,

Can anyone please help me in the below search.
I want the name of all logfiles with details of keywords from each sourcetype.
If there is a keyword present in the specific log file then the last time when that keyword was there in the log file.

The Login , Logout, Expire are the keywords available in _raw field.
The timestamp field specifies the logs are updated how many minutes/hours ago(last updated time of log file)

I am using below search but no results and not sure how to get last updated thing:

index=serverlogs source=server*.log
 | eval status=if(_raw LIKE "*Login*" ,Login, _raw LIKE "*LogOut*","Logout", _raw LIKE "*Expire*","Expire",0 )

woodcock · ‎10-03-2019

Try this:

index=serverlogs source=server*.log
| eval status=case(
   match(_raw, "Login",  "Login",
   match(_raw, "LogOut", "Logout", 
   match(_raw, "Expire", "Expire",
   true(), "Other")

gcusello · ‎09-28-2019

Hi sahil237888,
whay don't you tried to use tags?
you should create three different eventypes and associate to each of them a tag:

index=serverlogs source=server*.log login for tag=login
index=serverlogs source=server*.log logout for tag=logout
index=serverlogs source=server*.log logfail for tag=logfail

In this way, yoy have the keywords to display:

index=serverlogs source=server*.log
| table _time source tag

Using this method I created an entire apps to display login, logout and logfail of many different systems, creating many eventyper (three for each kind of system) associating the related tag.

Bye.
Giuseppe

Search to find the timestamp of each (Login, Logout, Expire) keyword from _raw and log file last updated time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!