topic Re: How to compare fields across multiple sourcetypes in Splunk Search

How to compare fields across multiple sourcetypes

raby1996 — Fri, 20 Nov 2015 21:12:58 GMT

Hi all,
Im working on a search that essentially would take the field results from one search where I'm looking for a specific PBM ("Problem Number") and the RMTMS ("Reporting Serial Numbers") associated with it, and comparing it across another search where the update history of various machines are listed. In this other data I extract the "Bundle" and the serial number MTMS , so that I can compare the MTMS and RMTMS fields for equality, while appending the Bundle Information to it. Essentially my end result would be a table that lists the Serial Number of each machine that has reported that specific problem number, as well as what Code level it is on.
Here is what i have so far, which is pretty much just the two searches, however I haven't been able to compare the two fields, I have used join(the current search), append, and append pipe, however I might be using them incorrectly.
Thank you in advance for any help.

index=* "PMB#1" 
|rex field=storageFacilityMTMS "(?<RMTMS>2123-900\S+)" 
| stats values(PMB)  values(RMTMS) as RMTMS
| join [ search index=*  "Code Levels" " Package Level" AND "Sea.ha" 
| rex "(?:\n|.)\s+(?<BU1>(?:8[7]+\.\d+\.\d+\.\d+))"
| rex "(?m)Package:\s+ha(?:\n|.)*?VRMF:\s+(?<BU2>87\S+)"
| rex "(?m)Package:\s+sfi(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| rex "(?m)Package:\s+se(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| eval Bundle=0 | foreach BU* [ eval Bundle=max(largest_BU, BU1,BU2, BU3 ) ]
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MTMS:(?<MT>\s+\d+\-\d+\S\S+)"  
| eval MTMS=coalesce(MT,RMTMS) 
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?Package Level:\s+(?<LIC>\d+\.\d+\.\d+\.\d+)" 
| rex "(?m)Package:\s+SEA.ha.*?(?<MTMS>\s+\d+\-\d+\S\S+)" 
| eval MTMS=coalesce(MT,MS)| stats list(MTMS) as MTMS , list(Bundle) as Bundle ] 
|makemv RMTMS|mvexpand RMTMS | stats   list(MTMS) as MTMS values(RMTMS) as RMTMS , list(Bundle) as Bundle,| makemv MTMS| mvexpand MTMS| stats list(RMTMS) as MTMS , list(Bundle) as Bundle

Search 1 (before join command)

PMB       RMTMS
#1        2123-900-1
          2123-900-2
          2123-900-3

Search 2 (after the join command in search)

MTMS            Bundle
2123-900-1       87.1
2123-900-2       87.2
2123-900-7       87.3
2123-900-8       87.4

Combined Results ( matched RMTMS and MTMTS)

PMB    Matched_MTMS's        Bundle
#1        2123-900-1           87.1
          2123-900-2           87.2

In a nutshell im running two separate searches where I'm trying to match a field from each to create a single field ( RMTMS, MTMS) while adding the other fields to it ( PMB, Bundle).

Re: How to compare fields across multiple sourcetypes

woodcock — Sat, 21 Nov 2015 19:22:09 GMT

You need to explain exactly how the 2 datasets relate and what you are trying correlate. The best way to do that is go give a minimalist set of sample events and then a mockup of the desired output. If you do this, I believe somebody will be able to help you. As it is, I have no idea what you are trying to do but I am certain that your existing search is WAY over-complicated.

Re: How to compare fields across multiple sourcetypes

raby1996 — Mon, 23 Nov 2015 20:18:14 GMT

Yes your are right, thank you for pointing that out, I have revised it and hopefully it makes more sense now.

Re: How to compare fields across multiple sourcetypes

woodcock — Sun, 06 Mar 2016 04:09:55 GMT

I still do not get it at all. Explain it like this:
Search 1:

blah blah1

Search 2:

blah blah 2

Results 1:

boo-hoo 1

Results 2:

boo-hoo 2

Desired Results:

foo bar success

Re: How to compare fields across multiple sourcetypes

AndySplunks — Tue, 08 Mar 2016 15:02:27 GMT

If I'm understanding this correctly, is this what you are looking for:

You do a search of problem tickets that have individual ID numbers: search PBM

The results are logs for the problem tickets with the various RMTMS values. The RMTMS values are the serial numbers of the machines associated to the problem tickets.

You then want to take the serial numbers and search your asset inventory to see what the patch level is and compare the systems to see if they are equivalent?

So for instance, I've got problem ID PBM 8675309. The RMTMS values that come back for are serial numbers 00042, 01337, and 01010. I will then search my asset inventory to see if those three systems are all running NT 4 Patch 6 and IIS 3.12?

So then my end table would be:
00042 - NT 4 P 6 - IIS 3.12
01337 - OS/S IIS - IBM 2
01010 - NT 4 P 6 - IIS 3.11

Is that correct?