- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction Issue - Need True/False compariso...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm wanting to avoid using saved searches and lookup tables as much if possible so it's easily maintainable by anyone on the team. Also, I'm wanting to make it as future proof as possible so it "just works" with little need to update or modify.
My end goal is to create a query that produces a True/False (or equivalent) result for each value when compared to the max value of the same field. To explain in more detail: I'm wanting the query to use the latest version of the Trellix/McAfee Agent reported in Splunk and then compare that value against the full set and return True/False if the numbers match.
I can get exactly what I need using the query below, but it needs to be manually updated every time the Agent version is updated.
source=trellix AgentVer=*
| eval AgentStatus=if(AgentVer=="5.7.9.182", "True","False")
| stats count BY AgentStatus
Simple
Where this gets complicated is when I try to isolate the latest version. I've tried all kinds of ways to extract that version number and put it into its own field and then do the comparison and nothing I've tried works.
Here's an example of what I have tried, but this is not exhaustive because I've tried 500 different ways... 😄
<!-- This query produces the version I need into a new field -->
source=trellix AgentVer=*
| stats max(AgentVer) AS TAV
<!-- Then I try to compare the value in the new TAV field to the old field -->
source=trellix AgentVer=*
| stats max(AgentVer) AS TAV
| eval Status=if(AgentVer==TAV, "True","False")
| table Status
<!-- No good -->
<!-- So then I try to take it a step further -->
source=trellix AgentVer=*
| stats max(AgentVer) AS TAV
| rex field=TAV (?<TA>"^(?:^\d+(\.\d+)+$)")
| eval Status=if(AgentVer==TA, "True","False")
| table Status
<!-- No good -->
<!-- Ok, maybe a subsearch will work -->
source=trellix AgentVer=*
[search source=trellix AgentVer=*
| stats max(AgentVer=*) AS TA
| table TA]
| eval Status=if(AgentVer=TAV, "True","False")
| table Status
<!-- No good -->
Again, the above are just examples of what I've tried. I've tried replacing | stats max(AgentVer) with | eval TA=max(AgentVer), I've tried chart instead of stats, and etc. I've even tried to just duplicate the field and use the duplicate instead of the original and still no luck. I've not found anything that can do what I'm trying to do. I hope it's possible but maybe I'm reaching here.
Does the community have any recommendations for how to solve this? Thank you ahead of time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try eventstats so you don't lose the original events
source=trellix AgentVer=*
| eventstats max(AgentVer) AS TAV
| eval Status=if(AgentVer==TAV, "True","False")
| table Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try eventstats so you don't lose the original events
source=trellix AgentVer=*
| eventstats max(AgentVer) AS TAV
| eval Status=if(AgentVer==TAV, "True","False")
| table Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer , that's exactly what I was missing! I've been pounding my head against the wall for the past couple of hours... Thank you!
Here's the docs page for eventstats , for anyone having a similar issue.
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
