From Splunk Wiki
#
# Multi-value field extraction
# file size change, compare two events
#
1. Create a script
Script: $SPLUNK_HOME/etc/apps/search/bin/test_du.sh
#------------------------------------------------------
#!/bin/bash
find /home/masa/Log -maxdepth 1 -type f | xargs du -sk
#------------------------------------------------------
# Example of the script output
# find /home/masa/Log -maxdepth 1 -type f | xargs du -s | sort -rn | head
1144 /home/masa/Log/test_log4.log
1136 /home/masa/Log/test_log2.log
68 /home/masa/Log/maillog_part.log
12 /home/masa/Log/udp-disordertimestamp.log
8 /home/masa/Log/udp-multiline.log
8 /home/masa/Log/test_exchange.txt
8 /home/masa/Log/test_56118.log
8 /home/masa/Log/test_0000.log
8 /home/masa/Log/snort.log
4 /home/masa/Log/test_win_ip.log
2. Setup a script with field extraction and "SHOULD_LINEMERGE = false" every 2 min.
- inputs.conf
[script://$SPLUNK_HOME/etc/apps/search/bin/test_du.sh]
interval = 120
host = filesize
disabled = 0
- props.conf
[host::filesize]
SHOULD_LINEMERGE = false
REPORT-filesize = fieldExtraction-filesize
- transforms.conf
[fieldExtraction-filesize]
REGEX = ^(\S+)\s(\S+)
FORMAT = size::$1 file::$2
MV_ADD = true
3. Run query every 2 min and compare 4 min range so that you catch only two events.
host="filesize" earliest=-6m@m latest=-2m@m | stats values(size) range(size) by file
Or,
host="filesize" earliest=-4m@m latest=-2m@m | join file [ search host="filesize" earliest=-6m@m latest=-4m@m | rename size AS sizePrev ] | table file size sizePrev
Or,
Use streamstats !
