topic Re: How to evaluate the following string as a fields in Splunk Search

How to evaluate the following string as a fields

Hema_Nithya — Sun, 13 Aug 2023 18:59:05 GMT

Hi ,
I have two servers with plugin details . I want to evaluate a column as Package_installed and Package_shouldbe based on the hostname in separate column .

server2 has multiple packages I want separate row and column for each package_shouldbe and package_installed and hostname field should be same .

hostname	Plugins
server1	Plugin Output: Remote package installed : gnutls-3.6.16-5.el8_6 Should be : gnutls-3.6.16-6.el8_7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations.
server2	Plugin Output: Remote package installed : httpd-2.4.6-98.el7_9.6 Should be : httpd-2.4.6-98.el7_9.7 Remote package installed : httpd-tools-2.4.6-98.el7_9.6 Should be : httpd-tools-2.4.6-98.el7_9.7 Remote package installed : mod_session-2.4.6-98.el7_9.6 Should be : mod_session-2.4.6-98.el7_9.7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations.

Re: How to evaluate the following string as a fields

richgalloway — Sun, 13 Aug 2023 19:40:37 GMT

Try this:

<<your current search>> ``` Extract installed packages ``` | rex max_match=0 field=Plugins "package installed\s*:\s*(?<installed>\S+)" ``` Extract "should be" names ``` | rex max_match=0 field=Plugins "Should be\s*:\s*(?<shouldBe>\S+)" ``` Pair installed with shouldBe ``` | eval packages=mvzip(installed, shouldBe, "#") ``` Give each pair its own event ``` | mvexpand packages ``` Break pairs apart ``` | eval packages=split(packages, "#") | eval installed=mvindex(packages, 0), shouldBe=mvindex(packages, 1) | table hostname installed shouldBe

Re: How to evaluate the following string as a fields

Hema_Nithya — Mon, 14 Aug 2023 03:51:19 GMT

It worked , thanks a lot

Re: How to evaluate the following string as a fields

Hema_Nithya — Wed, 30 Aug 2023 18:33:29 GMT

I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git , if the number 2 < 3 , it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .

CI	Installed	shouldbe	server_installed_package
server1	git-2.31.1-3.el8_7	git-2.39.3-1.el8_8	git-3.40.3-1.el8_8	Not complete

Re: How to evaluate the following string as a fields

richgalloway — Wed, 30 Aug 2023 20:36:22 GMT

A new issue should be in a new question.