Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compliance Dashboard

Foolish_Rogue
Loves-to-Learn Everything
Friday

I would like to create a search or a series of searches to retrieve all of my Windows Servers from LDAP. After obtaining the list of servers, I plan to check each one against an index that contains all the installed applications. The purpose of this is to determine whether specific applications are installed on each server. Finally, I want to output a table with columns for the host and a 'Yes' or 'No' indicator for each application, reflecting its installation status.

I have tried using the | ldapsearch with filters to build a csv named AD_servers.csv.  I then try the search below:

| inputlookup AD_servers.csv

| join type= left host

     [ search index=installed-apps (DisplayName=App1 OR DisplayName=App2 OR DisplayName=App3                      OR DisplayName=App4)

     | stats values(DisplayName) as displayNames by host ]

| eval App1 = if(match(tostring(displayNames), "App1"), "YES", "NO")

| eval App2 = if(match(tostring(displayNames), "App2"), "YES", "NO")

| eval App3 = if(match(tostring(displayNames), "App3"), "YES", "NO")

| eval App4 = if(match(tostring(displayNames), "App4"), "YES", "NO")

| fields host, App1, App2, App3, App4

| table host, App1, App2, App3, App4

 

My issue seems to be with the | stats values() as some of my hosts have their data in the index but the search returns empty for DisplayName.  Can anyone help me with advice on how to accomplish my goal?

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Friday

First and foremost - don't use join. There are some rare cases when join can be useful but this isn't one of them. As a rule of thumb - this is not SQL, joins are a no-no.

Just do your 

index=installed-apps (DisplayName IN (App1, App2, App3, App4))
| fields DisplayName host

to get your initial "report" of the data from the index. Check if it's good.

Now we use a neat trick to save ourselves the need to write all those evals.

| eval have{DisplayName}=1

This way if you have an event where DisplayName was named "App1", you'll get a field called haveApp1 with a value of 1.

Now you can simply do

| stats values(have*) as * by host

And you have the table from your indexed data. If you want to filter it by your lookup, you just do

| lookup AD_servers.csv host output host as matched
| search matched=*

If you want to show rows even for hosts which are in the lookup but which aren't in your index, you'll have to go another way. Instead of immediately statsing your data you go

| inputlookup append=t AD_servers.csv

And now you can do your 

| stats values(have*) as * by host
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...