Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Loops on csv file

kacel
New Member
‎07-03-2019 03:25 AM

hi,
i comeback to ask u again about my problem ;
so :
| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*"
| foreach Hostname [eval temp = if(match(Parent,Hostname), "hello", "Noooooo") ]
| table temp

when i execut this the result is :
Noooooo
Noooooo
Noooooo
Noooooo
Noooooo
Noooooo

the problem i me sur ther is a value from Parent that match Hostname
i want to that retun hello .
not only comparing in same raw that is the problem
thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2019 05:51 AM

@kacel,

Try this

| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", 
                  Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", 
                  Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", 
                  Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*" 
| eventstats values(Parent) as _tmp
| eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2019 05:51 AM

@kacel,

Try this

| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", 
                  Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", 
                  Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", 
                  Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*" 
| eventstats values(Parent) as _tmp
| eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

kacel
New Member
‎07-03-2019 06:33 AM

Thank you very much the result shows 1 when it is a match and 0 else .

its the best way to find same value of coulumn without using loops between two culumn
thank u.

0 Karma
Reply
Solved! Jump to solution

kacel
New Member
‎07-03-2019 06:37 AM

could you give us an explication please ?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-03-2019 07:00 AM

sure. Last two lines can be rewritten as below to give a better idea

| eventstats values(Parent) as tmp
 | eval found=if(isnull(mvfind(tmp,Hostname)),0,1)

By using eventstats we create a list of "Parents" for each row. Host name is then matched against this list which returns null for non-matching and an index for matching records . The result is then evaluated using if and assigns to "found" . 1 and 0 can be replaced with any values for e.g. "Yes","No" etc

Hope this helps!

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-03-2019 05:29 AM

Parent and Hostname must match exactly.
Please edit your query to show how the Parent and Hostname fields are obtained.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...