topic Re: Matching field values to text in Splunk Search

Matching field values to text

dsb6 — Tue, 23 Nov 2021 20:14:29 GMT

I have a base search:
index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"

The result populates field ‘KB’ with a list of values similar to:
5007192
5008601
890830

I need to test if ‘KB’ contains one of the following:
“5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606”

If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”.

Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Re: Matching field values to text

bowesmana — Tue, 23 Nov 2021 21:05:12 GMT

Use the if(in(a,b)) style as this

| makeresults | eval KB=split("5007192,5008601,890830", ",") | mvexpand KB | eval HotFixID=if(in(KB, 5008601,5008602,5008603,5008604,5008605,5008606), KB, "Not Installed")

Last line is what you want

Re: Matching field values to text

bowesmana — Tue, 23 Nov 2021 21:10:05 GMT

Alternatively if you want these numbers to be defined in an external lookup, so you can edit the lookup to maintain the hot fix ids, then just make a CSV with a single field 'HotFixID' with the list of IDs you want to match then use this logic

index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com | rex "\WKB(?<KB>.\d+)\W" | lookup your_list_of_hotfix_ids.csv HotFixID as KB OUTPUIT HotFixID as Found | eval HotFixID=if(isnull(Found), "Not Installed", KB)

Hope this helps

Re: Matching field values to text

dsb6 — Tue, 23 Nov 2021 21:52:38 GMT

The suggested if(in(a,b)) does return the required results however, the results include a HotFixID value for each KB value. Using the sample KB values from my post, results for HotFixID are

NotInstalled
5008601
NotInstalled

Preference would be to have one result per ComputerName with HotFixID value of matched KB value or NotInstalled.

Re: Matching field values to text

bowesmana — Wed, 24 Nov 2021 23:41:20 GMT

Not sure I understand - the example search shows

Are you getting something different?

Re: Matching field values to text

dsb6 — Tue, 07 Dec 2021 22:05:44 GMT

Thanks for your reply bowesmana. I was not clear on the desired output.

EventCode=19 will return multiple results for hundreds of ComputerName matches. The desired output is one line per ComputerName where HotFixID is either the matched KB or 'NotInstalled'.

Re: Matching field values to text

bowesmana — Wed, 08 Dec 2021 01:43:57 GMT

The two solutions I mentioned earlier - do neither of those give you what you want. If not, what is wrong with them.