Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search to show hosts missing specific winevent log

jztilly
Engager
‎12-12-2021 03:26 PM

Hi there,

I've got a basic search to provide the most recent timestamp for a successful backup using wineventlog data:

 

index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*grp*
| search Message=*6C8F1F7E* OR Message=*6C8F1F7D* OR Message=*6C8F1F7A*
| dedup host
| table host, _time

 

However, I'm really struggling to come up with a search that shows me all the *grp* hosts whether they have the successful backup strings in the Message field  (*6C8F1F7E* or *6C8F1F7D* or *6C8F1F7A*) or not.

My closest attempt seems to be this:

 

index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* 
| eval success = case(Message like "%6C8F1F7E%",1,Message like "%6C8F1F7D%",1,Message like "%6C8F1F7A%",1,Message like "%",0)
| stats sum(success) as Successes by host
| where Successes < 1

 

My hope is for a table with the following columns:

  • Host
  • Last successful backup date/time or "N/A" if there was no successful backup in the selected timerange
  • Days since last backup

Any help or advice would be greatly apprecated!

Cheers

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2021 09:45 PM

Something along the lines of

 

index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* 
| eval success = if(match(Message, "6C8F1F7E|6C8F1F7D|6C8F1F7A%"), 1, 0)
| stats max(_time) as LastBackup max(eval(if(success=1,_time, 0))) as LastSuccessfulBackup sum(success) as Successes by host
| fillnull value="N/A" LastSuccessfulBackup
| eval DaysSinceLastBackup=round((now()-LastBackup)/86400)

 

(Edit:Fixed typo in eval)

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2021 09:45 PM

Something along the lines of

 

index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* 
| eval success = if(match(Message, "6C8F1F7E|6C8F1F7D|6C8F1F7A%"), 1, 0)
| stats max(_time) as LastBackup max(eval(if(success=1,_time, 0))) as LastSuccessfulBackup sum(success) as Successes by host
| fillnull value="N/A" LastSuccessfulBackup
| eval DaysSinceLastBackup=round((now()-LastBackup)/86400)

 

(Edit:Fixed typo in eval)

Reply
Solved! Jump to solution

jztilly
Engager
‎12-15-2021 07:23 PM

Thanks for the reply! I've been trying to get that to produce a result but not having much luck.

The original error after copy/paste is: Error in 'eval' command: The expression is malformed. Expected ).

I've been going through line-by-line and got the second line working by changing it to this:

 

index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* 
| eval success = if(Message like "%6C8F1F7E%|%6C8F1F7D%|%6C8F1F7A%", 1, 0)

 

but each subsequent line fails from there.

edit : nope, my edit to line 2 doesn't work either 😁

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-21-2021 01:47 PM

@jztilly 

My bad - fixed some typos - I seem to remember hitting post just as I was running out the door 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...