How to compare a column with multiple columns in S...

vrmandadi · ‎11-21-2022

I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red

Component	BASELINE	HOSTA	HOSTB	HOSTC
GPU	20	20	5	7
GPU1	5	7	7	5
FW	2.4.2	2.4.2	2.4.2	2.4.3
IP	1.1.1.1	1.1.1.2	1.1.1.1	1.1.1.1
ID	[234 , 336]	[234 , 336]	[134 , 336]	[234 , 336]

<form theme="dark">
  <label>Preos Firmware Summary - Liquid Cooled</label>
  
  <fieldset submitButton="false">
    <input type="multiselect" token="tok_host" searchWhenChanged="true">
      <label>Host</label>
      <valueSuffix>,</valueSuffix>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=pre Type=Liquid_Cooled
| stats count by host 
| dedup host</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <delimiter> </delimiter>
      <choice value="*">All</choice>
    </input>
    <input type="multiselect" token="tok_component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Component</fieldForLabel>
      <fieldForValue>Component</fieldForValue>
      <search>
        <query>index=pre Type=Liquid_Cooled  host IN ($tok_host$)  "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| search Component IN("*") 
| stats latest(output) as output latest(_time) as _time by Component host 
| fields - _time 
| eval from="search" 
| join Component 
    [| inputlookup FW_Tracking_Baseline.csv 
    | search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | rename Baseline as lookup_output 
    | fields lookup_output Component output] 
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output 
| replace 1 WITH "match" IN case 
| replace 0 WITH "No match" IN case 
| stats values(Component) as Component by host lookup_output case output 
| stats count by Component 
| dedup Component</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
      <valuePrefix>"</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW\d\s*FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| stats latest(output) as output latest(_time) as _time by Component host 
| eval from="search"
| fields - _time 
| chart values(output) by Component host limit=0 
| fillnull value="No Data" | join Component 
    [ | inputlookup FW_Tracking_Baseline.csv 
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | fields Baseline Component output] 
| fields Component Baseline *
| fillnull value="No Data"</query>
          <earliest>-90d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

How to compare a column with multiple columns in Splunk and highlight the cell not matching with red?

Dashboard Studio

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio