https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223969#M65966 <P>Thanks @javiergn!</P> <P>In testing your suggested regex, I narrowed it down to the one host (<STRONG>in bold above</STRONG>), 703024710LSYF. </P> <P>For this host, there were 54 events where status="Non-compliant" and 1 event where status="compliant". It's most recent status is "compliant" which we don't want on the list and <STRONG>it worked!</STRONG> </P> <P>Thanks again!</P> Wed, 13 Jan 2016 16:26:28 GMT tristamaltizo 2016-01-13T16:26:28Z https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223967#M65964 <P>I have events that detect compliance of machines via forescout data (we don't have the app installed) and <STRONG>I'd like to filter on only those machines that have been and remained non-compliant (in the last 30days).</STRONG> </P> <P>In my current regex, it's listing all unique combinations of machine and status (or rather description which is aligned to the status).</P> <P>index="forescout" sourcetype="fs_dlp_compliance" | dedup src_nt_host description sortby +src_nt_host -_time | table src_nt_host description status user _time</P> <P>Sample output:<BR /> 703019998LSYF Symantec DLP installed and running compliant 703019998 2015-12-17T09:23:26.000-0500<BR /> <STRONG>703024710LSYF</STRONG> Symantec DLP installed and running compliant 703024710 2016-01-11T20:57:25.000-0500<BR /> <STRONG>703024710LSYF</STRONG> DLP Not installed Non-compliant 703024710 2016-01-06T19:11:54.000-0500<BR /> 703039420LSYF Symantec DLP installed and running compliant 703039420 2016-01-10T10:42:09.000-0500<BR /> 703039420LSYF DLP Not installed Non-compliant 703039420 2016-01-06T19:11:54.000-0500<BR /> BSHYDSY-D230 DLP Not installed Non-compliant USER 2016-01-05T12:50:14.000-0500<BR /> BSHYDSY-L007 DLP Not installed Non-compliant USER 2016-01-11T20:58:26.000-0500<BR /> BSHYDSY-L008 DLP Not installed Non-compliant USER 2016-01-07T03:49:19.000-0500<BR /> BSHYDSY-L011 DLP Not installed Non-compliant USER 2016-01-12T06:44:05.000-0500</P> <P>So, again, those events that have status "Non-compliant" that DON'T have another event that have status "compliant" (in the last 30days) are the ones I'd like to filter on.</P> <P>Any help is appreciated!</P> Tue, 29 Sep 2020 08:22:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223967#M65964 tristamaltizo 2020-09-29T08:22:08Z https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223968#M65965 <P>This is what I would do (not validated so keep an eye on the syntax):</P> <PRE><CODE>index="forescout" sourcetype="fs_dlp_compliance" earliest=-30d@d | fields src_nt_host status | eval statusValue = if(match(status, "Non-compliant"), 0, 1) | stats sum(statusValue) as statusValue by src_nt_host | search statusValue = 0 | table src_nt_host </CODE></PRE> <P>If you then need to display other fields such as description or user you can use the same technique. </P> <P>Hope that works for you. </P> Tue, 12 Jan 2016 21:24:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223968#M65965 javiergn 2016-01-12T21:24:54Z https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223969#M65966 <P>Thanks @javiergn!</P> <P>In testing your suggested regex, I narrowed it down to the one host (<STRONG>in bold above</STRONG>), 703024710LSYF. </P> <P>For this host, there were 54 events where status="Non-compliant" and 1 event where status="compliant". It's most recent status is "compliant" which we don't want on the list and <STRONG>it worked!</STRONG> </P> <P>Thanks again!</P> Wed, 13 Jan 2016 16:26:28 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-in-filtering-machines-that-were-not-compliant-that/m-p/223969#M65966 tristamaltizo 2016-01-13T16:26:28Z