https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/677993#M231859 <P>It is not clear whether you are matching hostname and vulnerability or dev and vulnerability. In either case, your table doesn't appear to have any rows where patch should be NO (according to your logic). Please can you clarify your requirement.</P><P>If the table was supposed to be the result, rather than the events, please can you share some sample events.</P> Mon, 19 Feb 2024 14:55:17 GMT ITWhisperer 2024-02-19T14:55:17Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/677992#M231858 <P>"I have an issue with creating a field named 'Path' which should be populated with 'YES' or 'NO' based on the following information:</P><P>I have fields like 'Hostname', 'dev', and 'vulnerability'. I need to take the values in 'dev' and 'vulnerability' and check if there are other rows with the same 'hostname' and 'vulnerability'. If there is a match, I write 'NO' in the 'Path' field; otherwise, I write 'YES'."<BR /><BR /></P><TABLE border="1"><TBODY><TR><TD width="25%" height="39px"><P><SPAN>Hostname&nbsp;</SPAN></P></TD><TD width="25%" height="39px">dev</TD><TD width="25%" height="39px"><SPAN>vulnerabilita </SPAN></TD><TD width="25%" height="39px"><SPAN>patch </SPAN></TD></TR><TR><TD width="25%" height="24px"><SPAN>A</SPAN></TD><TD width="25%" height="24px"><SPAN>B</SPAN></TD><TD width="25%" height="24px"><SPAN>apache </SPAN></TD><TD width="25%" height="24px"><SPAN>SI </SPAN></TD></TR><TR><TD width="25%" height="24px"><SPAN>A</SPAN></TD><TD width="25%" height="24px"><SPAN>B</SPAN></TD><TD width="25%" height="24px"><SPAN>sql</SPAN></TD><TD width="25%" height="24px"><SPAN>NO</SPAN></TD></TR><TR><TD width="25%" height="24px"><SPAN>B</SPAN></TD><TD width="25%" height="24px"><SPAN>0</SPAN></TD><TD width="25%" height="24px"><SPAN>apache </SPAN></TD><TD width="25%" height="24px">NO</TD></TR><TR><TD width="25%" height="24px"><SPAN>B</SPAN></TD><TD width="25%" height="24px"><SPAN>0</SPAN></TD><TD width="25%" height="24px"><SPAN>python</SPAN></TD><TD width="25%" height="24px"><SPAN>NO </SPAN></TD></TR><TR><TD width="25%" height="24px"><SPAN>C </SPAN></TD><TD width="25%" height="24px"><SPAN>A </SPAN></TD><TD width="25%" height="24px"><SPAN>apache</SPAN></TD><TD width="25%" height="24px"><SPAN>SI</SPAN></TD></TR></TBODY></TABLE> Mon, 19 Feb 2024 14:47:44 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/677992#M231858 omcollia 2024-02-19T14:47:44Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/677993#M231859 <P>It is not clear whether you are matching hostname and vulnerability or dev and vulnerability. In either case, your table doesn't appear to have any rows where patch should be NO (according to your logic). Please can you clarify your requirement.</P><P>If the table was supposed to be the result, rather than the events, please can you share some sample events.</P> Mon, 19 Feb 2024 14:55:17 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/677993#M231859 ITWhisperer 2024-02-19T14:55:17Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/678047#M231882 <P><SPAN>"I will have a table composed of Hostname, Dev (hostname of the development machine associated with the machine in the Hostname field), vulnerability (vulnerability associated with the machine in Hostname). The Dev field is only used to see if the machine in Hostname has a machine in development associated with it. I should verify that in my table there is not that machine (in this case in the hostname field) associated with the same vulnerability."<BR /><BR /></SPAN></P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="24px">HOSTNAME</TD><TD width="33.333333333333336%" height="24px">DEV</TD><TD width="33.333333333333336%" height="24px">VULNERABILITà</TD></TR><TR><TD width="33.333333333333336%" height="24px">PAPERINO</TD><TD width="33.333333333333336%" height="24px">pippo</TD><TD width="33.333333333333336%" height="24px">APACHE</TD></TR></TBODY></TABLE><P><SPAN><BR />In this case, my machine "paperino" has a vulnerability "apache", and it also has a development machine associated with it. Therefore, I should verify that for the machine "Pippo" there isn't the same vulnerability<BR /></SPAN><BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="24px">HOSTNAME</TD><TD width="33.333333333333336%" height="24px">DEV</TD><TD width="33.333333333333336%" height="24px">VULNERABILITà</TD></TR><TR><TD width="33.333333333333336%" height="24px">PIPPO</TD><TD width="33.333333333333336%" height="24px">-</TD><TD width="33.333333333333336%" height="24px">APACHE</TD></TR></TBODY></TABLE><P><BR /><SPAN>If this row were present in my search, then in the row of the table above, I should write "YES" in my new field that I will create. because pippo have same vulnerability (apache )</SPAN></P> Tue, 20 Feb 2024 09:23:11 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/678047#M231882 omcollia 2024-02-20T09:23:11Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/678054#M231885 <P>Thanks for a clearer description of your usecase</P><P>Please try this</P><LI-CODE lang="markup">| eventstats values(Hostname) as hosts by vulnerability | eval patch=if(isnotnull(mvfind(hosts,dev)), "Yes", "No")</LI-CODE> Tue, 20 Feb 2024 10:46:43 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-composite-variable-and-comparing-it-with-the-rows/m-p/678054#M231885 ITWhisperer 2024-02-20T10:46:43Z