topic How to replace any multi values found in search result with true and if the value is null replace with No in Splunk Search

How to replace any multi values found in search result with true and if the value is null replace with No

vinaykataaig — Wed, 07 Aug 2019 15:38:22 GMT

Hi there!
I am updating my question:
Below is the scenario where I wanted to see what are the servers got patched since last 3 months. My query pulls up the below table showing server name and patches installed by month and if there is not patched installed for that specific month i did a fill null values to show as "Not Patched". By doing this we just wanted to check if the server is patched for that month or not, we don't need the patch names to be shown.So I wanted to replace all those patch names to some other values like "True"/Patched/yes.

Re: How to replace any multi values found in search result with true and if the value is null replace with No

richgalloway — Wed, 07 Aug 2019 16:57:03 GMT

What is your query? What exactly do you want replaced with "True/Yes"?

Re: How to replace any multi values found in search result with true and if the value is null replace with No

vinaykataaig — Wed, 07 Aug 2019 18:40:10 GMT

Thanks for the response, I have updated my question.

Re: How to replace any multi values found in search result with true and if the value is null replace with No

mayurr98 — Wed, 07 Aug 2019 19:15:46 GMT

I have updated my answer pls try if it doesn't work then could you provide the splunk query to get this result?

Re: How to replace any multi values found in search result with true and if the value is null replace with No

richgalloway — Wed, 07 Aug 2019 19:50:37 GMT

Please share your query.

Re: How to replace any multi values found in search result with true and if the value is null replace with No

vinaykataaig — Wed, 30 Sep 2020 01:41:31 GMT

index="oswin" sourcetype="windowsupdatelog" |search "Patch Deployment" AND "AGENT_INSTALLING_SUCCEEDED"

| rex field=_raw "^(?:[^:\n]*:){9}\s+(?P.+)"
| eval server = Upper(mvindex(split(host,"."),-0))
| eval start=strptime(Time, "%Y-%m-%d %H:%M:%S.%N")
| eval day = strftime(start, "%a")
| eval Month = Upper(date_month)
| chart values(ApplicablePatch) as ApplicablePatch by server Month | fillnull value="Not Patched"

Re: How to replace any multi values found in search result with true and if the value is null replace with No

mayurr98 — Wed, 07 Aug 2019 20:21:12 GMT

Try this :

index="oswin" sourcetype="windowsupdatelog" "Patch Deployment" AND "AGENT_INSTALLING_SUCCEEDED" 
| rex field=_raw "^(?:[^:\n]*:){9}\s+(?P.+)" 
| eval server = Upper(mvindex(split(host,"."),-0)) 
| eval start=strptime(Time, "%Y-%m-%d %H:%M:%S.%N") 
| eval day = strftime(start, "%a") 
| eval Month = Upper(date_month) 
| replace * WITH "Patched" IN ApplicablePatch 
| chart values(ApplicablePatch) as ApplicablePatch by server Month 
| fillnull value="Not Patched"

index="oswin" sourcetype="windowsupdatelog" "Patch Deployment" AND "AGENT_INSTALLING_SUCCEEDED" 
| rex field=_raw "^(?:[^:\n]*:){9}\s+(?P.+)" 
| eval server = Upper(mvindex(split(host,"."),-0)) 
| eval start=strptime(Time, "%Y-%m-%d %H:%M:%S.%N") 
| eval day = strftime(start, "%a") 
| eval Month = Upper(date_month) 
| chart values(ApplicablePatch) as ApplicablePatch by server Month 
| fillnull value="Not Patched" 
| foreach JANUARY FEBRUARY MARCH APRIL MAY JUNE JULY AUGUST SEPTEMBER OCTOBER NOVEMBER DECEMBER 
    [ eval <<FIELD>>=if(<<FIELD>>="Not Patched","Not Patched","Patched")]

Re: How to replace any multi values found in search result with true and if the value is null replace with No

vinaykataaig — Wed, 07 Aug 2019 20:42:51 GMT

Actually First search worked for me. Thank you!!
And also i thought of doing it another way as well, Just by writing eval logic if the count(Applicable Patch) >"0" then show Patched if the value is null then Not patched.

| replace * WITH "Patched" IN ApplicablePatch
| chart values(ApplicablePatch) as ApplicablePatch by server Month
| fillnull value="Not Patched"