Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing version number for multiple hosts in index

pl2345
Path Finder
‎11-29-2021 11:17 AM

I have an index that ingests scan files and assigns a sourcetype based on the folder location. There are several scans for each host, which caused some issues when I tried to join or append.

I'm trying to build  a search that takes the host, scan, and version in one folder and compares it against the host, scan, and version in the other and create a table with the host, evaluate scan and version, and authoritative scan and version and tell me if we have the most up to date scans in the authoritative folder. What's the best method to create this search?

Example data:

HOST_FQDN: Host1

sourcetype: Evaluate

SCAN: IE11

Version: 2

 

HOST_FQDN: Host1

sourcetype: Authoritative

SCAN: IE11

Version: 3

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-30-2021 08:17 AM

That search worked, but I was looking more for a line by line comparison. After taking a step back yesterday I came up with the following that gave me the results I was looking for.

 

index=foo sourcetype=Evaluate HOST_FQDN=* 
| join type=left HOST_FQDN SCAN 
   [search index=foo sourcetype=Authoritative HOST_FQDN=* 
   | rename sourcetype as "Authoritative Source File", Version as "Authoritative Version"] 
| rename source as "Evaluate Source File", Version as "Evaluate Version"
| table _time, HOST_FQDN, SCAN, "Evaluate Source File", "Evaluate Version", "Authoritative Source File", "Authoritative Version" 
| dedup HOST_FQDN STIG​

 

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 12:40 PM

To find instances where the Evaluate version differs from the Authoritative version, try this query.

index=foo HOST_FQDN=* (sourcetype=Evaluate OR sourcetype=Authoritative) SCAN=* Version=*
| stats values(HOST_FQDN) as HOST_FQDN, list(sourcetype) as sourcetype, list(Version) as Version by SCAN
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

pl2345
Path Finder
‎11-30-2021 08:17 AM

That search worked, but I was looking more for a line by line comparison. After taking a step back yesterday I came up with the following that gave me the results I was looking for.

 

index=foo sourcetype=Evaluate HOST_FQDN=* 
| join type=left HOST_FQDN SCAN 
   [search index=foo sourcetype=Authoritative HOST_FQDN=* 
   | rename sourcetype as "Authoritative Source File", Version as "Authoritative Version"] 
| rename source as "Evaluate Source File", Version as "Evaluate Version"
| table _time, HOST_FQDN, SCAN, "Evaluate Source File", "Evaluate Version", "Authoritative Source File", "Authoritative Version" 
| dedup HOST_FQDN STIG​

 

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...