Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing version number for multiple hosts in index

pl2345
Path Finder
‎11-29-2021 11:17 AM

I have an index that ingests scan files and assigns a sourcetype based on the folder location. There are several scans for each host, which caused some issues when I tried to join or append.

I'm trying to build  a search that takes the host, scan, and version in one folder and compares it against the host, scan, and version in the other and create a table with the host, evaluate scan and version, and authoritative scan and version and tell me if we have the most up to date scans in the authoritative folder. What's the best method to create this search?

Example data:

HOST_FQDN: Host1

sourcetype: Evaluate

SCAN: IE11

Version: 2

 

HOST_FQDN: Host1

sourcetype: Authoritative

SCAN: IE11

Version: 3

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-30-2021 08:17 AM

That search worked, but I was looking more for a line by line comparison. After taking a step back yesterday I came up with the following that gave me the results I was looking for.

 

index=foo sourcetype=Evaluate HOST_FQDN=* 
| join type=left HOST_FQDN SCAN 
   [search index=foo sourcetype=Authoritative HOST_FQDN=* 
   | rename sourcetype as "Authoritative Source File", Version as "Authoritative Version"] 
| rename source as "Evaluate Source File", Version as "Evaluate Version"
| table _time, HOST_FQDN, SCAN, "Evaluate Source File", "Evaluate Version", "Authoritative Source File", "Authoritative Version" 
| dedup HOST_FQDN STIG​

 

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 12:40 PM

To find instances where the Evaluate version differs from the Authoritative version, try this query.

index=foo HOST_FQDN=* (sourcetype=Evaluate OR sourcetype=Authoritative) SCAN=* Version=*
| stats values(HOST_FQDN) as HOST_FQDN, list(sourcetype) as sourcetype, list(Version) as Version by SCAN
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-30-2021 08:17 AM

That search worked, but I was looking more for a line by line comparison. After taking a step back yesterday I came up with the following that gave me the results I was looking for.

 

index=foo sourcetype=Evaluate HOST_FQDN=* 
| join type=left HOST_FQDN SCAN 
   [search index=foo sourcetype=Authoritative HOST_FQDN=* 
   | rename sourcetype as "Authoritative Source File", Version as "Authoritative Version"] 
| rename source as "Evaluate Source File", Version as "Evaluate Version"
| table _time, HOST_FQDN, SCAN, "Evaluate Source File", "Evaluate Version", "Authoritative Source File", "Authoritative Version" 
| dedup HOST_FQDN STIG​

 

 

Tags (1)
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...