topic Re: Help with a search for barcodes based by group? in Splunk Search

Help with a search for barcodes based by group?

KayBeesKnees83 — Thu, 22 Sep 2022 18:21:12 GMT

I have a customer that would like to use Splunk to search for a set of devices by their respective barcodes.

The devices (barcodes) will come from an external list that will be placed in a separate index. For this scenario, the separate index will be referred to as "index 2". Additionally, the barcodes from the external list (which reside in index 2) will need to be matched to their respective organizations.

These organizations reside in a separate index. For this scenario, the separate index (where the organization resides) will be referred to as "index 1".

In a nutshell, the customer would like to compare the list of barcodes in index 2 and compare it to index 1 and see if they match any organizations.

Finally, if the a barcode (index 2) matches an organization (index 1), the customer would like to list all information associated with the barcode (i.e. hostname, serial number, organization name, etc.) that matched the organization.

Thank you in advanced for your help! 🙂

Re: Help with a search for barcodes based by group?

yuanliu — Thu, 22 Sep 2022 23:12:46 GMT

This is a well-written use case. These specifics greatly help others to contribute. The general idea is to put both indexed data sources together and discern which ones contain both sources, like this

index IN (index1, index2) [| tstats values(barcode) as barcode where index = index2] | stats latest(hostname) as hostname latest(serial_number) as serial_number latest(organization_name) as organization_name latest(etc) as etc by barcode | eval matched = if(isnull(organization), "no", "yes")

(The subsearch can improve performance if index1 contains significantly more bar codes than index2; you can reverse it to "where index=index1" if the opposite is true, or drop the subsearch if the two indices contain about the same number of bar codes.)

Hope this helps.

Re: Help with a search for barcodes based by group?

KayBeesKnees83 — Fri, 23 Sep 2022 13:31:41 GMT

Thank you for your reply. I sincerely appreciate your response. I had a question about the following:

latest(etc) as etc by barcode

What is the "etc" argument/field?

Re: Help with a search for barcodes based by group?

KayBeesKnees83 — Fri, 23 Sep 2022 15:08:14 GMT

My apologies on the "etc" post - I figured out that the "etc" represents the additional fields.

Thank you 🙂

Re: Help with a search for barcodes based by group?

KayBeesKnees83 — Fri, 23 Sep 2022 18:19:11 GMT

| eval matched = if(isnull(organization), "no", "yes")

Which field should be listed as "organization"?

Re: Help with a search for barcodes based by group?

yuanliu — Fri, 23 Sep 2022 18:32:14 GMT

"organization" was my spelling mistake. Should be organization_name in accordance to the preceding code.

Re: Help with a search for barcodes based by group?

KayBeesKnees83 — Fri, 23 Sep 2022 18:46:41 GMT

Unfortunately, only one event returns with "no" adjacent to the matched column. Furthermore, the other columns do not fully populate with results.

Re: Help with a search for barcodes based by group?

johnhuang — Fri, 23 Sep 2022 19:06:07 GMT

Here are 2 very simple way to do it:

index=index1 [search index2 | dedup barcode | table barcode] | stats latest(*) AS * by barcode

index IN (index1, index2) | stats latest(*) AS * values(index) AS index_list dc(index) AS index_ct BY barcode | eval matched=IF(index_ct=2, "Y", "N")

Re: Help with a search for barcodes based by group?

KayBeesKnees83 — Fri, 23 Sep 2022 19:33:52 GMT

Thank you for your reply 🙂 Both results returned different amounts. Option 1 returned about 20 results while Option 2 returned roughly 4 results.

Re: Help with a search for barcodes based by group?

johnhuang — Fri, 23 Sep 2022 19:37:52 GMT

Option 2 gives you a bit more flexibility if you want to see both matched and not matched records (e.g, filter on the field "matched" and "index_list")