- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to get last updated time for log path files t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a splunk search, i get results of the log files that aren't updated for the past 15 minutes. I created this using setdiff command. Now i want to show the last updated time of those log files beside their log path names.
| set diff [ search index=* host= * |dedup source host| table source host | search source= "*log"] [|inputlookup xyz.csv | dedup source host | table source host] | dedup source host
xyz.csv is the file with all logs.
this search shows us the results of those log path files that arent updated in the past 15 minutes if search time is fixed for 15 min.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=* host=*
| eval time=_indextime
| stats latest(time) as _time by source,host
| where _time < relative_time(now(),"-15m")
Hi,
If you want to get the last update time of the log path file that has not been updated in the past 15 minutes, I think it's okay here.
I'm sorry if the question is the CSV file update time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=* host=*
| eval time=_indextime
| stats latest(time) as _time by source,host
| where _time < relative_time(now(),"-15m")
Hi,
If you want to get the last update time of the log path file that has not been updated in the past 15 minutes, I think it's okay here.
I'm sorry if the question is the CSV file update time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @to4kawa . It worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your welcome,happy Splunking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa
This worked perfectly. I just wanted to do some modifications in it. So the above search gives us the result of the logs that didnt get updated in last 15min. So lets say the result is as follows
source host _time
A P
B Q
C R
D . S
E . T
But i know that a particular servers are down and not working and i'm sure the log paths wouldn't get updated. say
1)
A P
D S
So i wanted to eliminate these in the final alert i get.
So i tried using set diff command .. |set diff [first search] [input lookup test.csv]
test.csv would have details of 1)
I wanted final result as
source host _time
B Q
C R
E . T
But it doesn't work.Instead it gives me trash values. let me know what went wrong and what should be done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| metadata type=hosts index=*
| foreach *Time
[eval <<FIELD>> = strftime(<<FIELD>>,"%c")]
Hi, long time no see.
You can check the log status for each host with the above command.
This time I used strftime to make it easier to understand, but I think that you can add conditions with where instead.
It is not a direct answer, but for reference.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
