Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my compliance search to make any product version higher than the one in my lookup file be considered Compliant?

sandeepshah81
Explorer
‎08-14-2018 06:46 AM

I have a compliance search which I have created using a lookup file that does gives results. However, for a product version which is higher than the one I have in the Lookup file should be considered as Compliant, but it is being considered as Non-Compliant in the result.

I have a lookup file as csv format with below details
DisplayName DisplayVersion Status
Adobe Acrobat Reader DC 18.11.20040 Compliant

I am using a query like below where one of the Application Name is not actually the name of the Application, but it is a Plugin to the main application so I am excluding not be searched for (Extended Asian Language font pack for Adobe Acrobat Reader DC).

index=abc_aa sourcetype=xxxxxxxx OsVersion=10.0 host="*" (DisplayName="Adobe Acrobat Reader DC" AND DisplayName!="Extended Asian Language font pack for Adobe Acrobat Reader DC") | table  host DisplayName DisplayVersion OsVersion | lookup Coreapps.csv DisplayVersion OUTPUTNEW Status | eval Status=if((isnull(Status),"NonCompliant",Status)

I am able to get result with table command ...
but in the results: If I have a PC in which the Application version is greater than the one I have in my lookup file (18.11.20040 is in my lookup file), it takes that version as Non-Complaint which actually should not be the case as it is higher version.. I do not want to add that higher version in the lookup file.

Is there any other option to detect any version higher than or equal to the one I have selected is Compliant and lower then it is Non-Compliant?

How do I achieve it??

Reply

johnnyfrx
Path Finder
‎08-23-2018 11:36 AM

Maybe try a 'case' statement instead of 'if' and add another status type just called compliant for versions that are greater than the current version.

0 Karma
Reply

sandeepshah81
Explorer
‎08-21-2018 12:24 AM

Any comments from Anyone???

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...