Splunk IT Service Intelligence

How to edit my compliance search to make any product version higher than the one in my lookup file be considered Compliant?

sandeepshah81
Explorer

I have a compliance search which I have created using a lookup file that does gives results. However, for a product version which is higher than the one I have in the Lookup file should be considered as Compliant, but it is being considered as Non-Compliant in the result.

I have a lookup file as csv format with below details
DisplayName DisplayVersion Status
Adobe Acrobat Reader DC 18.11.20040 Compliant

I am using a query like below where one of the Application Name is not actually the name of the Application, but it is a Plugin to the main application so I am excluding not be searched for (Extended Asian Language font pack for Adobe Acrobat Reader DC).

index=abc_aa sourcetype=xxxxxxxx OsVersion=10.0 host="*" (DisplayName="Adobe Acrobat Reader DC" AND DisplayName!="Extended Asian Language font pack for Adobe Acrobat Reader DC") | table  host DisplayName DisplayVersion OsVersion | lookup Coreapps.csv DisplayVersion OUTPUTNEW Status | eval Status=if((isnull(Status),"NonCompliant",Status)

I am able to get result with table command ...
but in the results: If I have a PC in which the Application version is greater than the one I have in my lookup file (18.11.20040 is in my lookup file), it takes that version as Non-Complaint which actually should not be the case as it is higher version.. I do not want to add that higher version in the lookup file.

Is there any other option to detect any version higher than or equal to the one I have selected is Compliant and lower then it is Non-Compliant?

How do I achieve it??

johnnyfrx
Path Finder

Maybe try a 'case' statement instead of 'if' and add another status type just called compliant for versions that are greater than the current version.

0 Karma

sandeepshah81
Explorer

Any comments from Anyone???

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...