Splunk Search

Having trouble with Eval case match multiple values and NOT matching

michaelnorup
Communicator

Hey guys.

I have been trying to make a compliance/noncompliance list:
I have a big search that will table all the data i need. I tried using eval case to assign compliance/noncompliance to the hosts however it is not working. There could be multiple problems.
The search is this:

 

 

| rex field=_raw "(Available Updates)\s+(?<AvailableUpdates>.+)"
| rex field=_raw "(.Net Version is)\s+(?<DotNetVersion>.+)"
| rex field=_raw "(Powershell Version is)\s+(?<PowershellVersion>.+)"
| rex field=_raw "(Was able to resolved google.dk)\s+(?<DNS>.+)"
| rex field=_raw "(Firewall's)\s+(?<AllFirewalls>.+)"
| rex field=_raw "(Commvault)\s+(?<Commvault>.+)"
| rex field=_raw "(Snow)\s+(?<Snow>.+)"
| rex field=_raw "(Symantec)\s+(?<Symantec>.+)"
| rex field=_raw "(Splunk Forwarder)\s+(?<Splunk>.+)"
| rex field=_raw "(SNMP Service)\s+(?<SNMP>.+)"
| rex field=_raw "(Zabbix Agent Version)\s+(?<Zabbix4>.+)"
| rex field=_raw "(Zabbix Agent2)\s+(?<Zabbix2>.+)"
| rex field=_raw "(VMware)\s+(?<VMware>.+)"
| rex field=_raw "(Backup route)\s+(?<BackupRoute>.+)"
| rex field=_raw "(Metric)\s+(?<Metric>.+)"
| rex field=_raw "(IPconfig)\s+(?<IPconfig>.+)"
| rex field=_raw "(DeviceID VolumeName)\s+(?<Storage>.+)"
| rex field=_raw "(Memory)\s+(?<Memory>.+)"
| rex field=_raw "(Amount of Cores)\s+(?<CPU>.+)"
| rex field=_raw "(is Licensed with)\s+(?<WindowsLicense>.+)"
| rex field=_raw "(Running Microsoft)\s+(?<OS>.+)"
| rex field=_raw "(OS Uptime is)\s+(?<Uptime>.+)"
| join type=outer host[|inputlookup  Peer_Dashboard_Comments.csv] 
| stats latest(AvailableUpdates) as AvailableUpdates, latest(DotNetVersion) as DotNetVersion, latest(PowershellVersion) as PowershellVersion, latest(DNS) as DNS, latest(AllFirewalls) as AllFirewalls, latest(Commvault) as Commvault, latest(Snow) as Snow, latest(Symantec) as Symantec, latest(Splunk) as Splunk, latest(SNMP) as SNMP, latest(Zabbix4) as Zabbix4, latest(Zabbix2) as Zabbix2, latest(VMware) as VMware, latest(BackupRoute) as BackupRoute, latest(Metric) as Metric, latest(IPconfig) as IPconfig, latest(Storage) as Storage, latest(Memory) as Memory, latest(CPU) as CPU, latest(WindowsLicense) as WindowsLicense, latest(OS) as OS, latest(Uptime) as Uptime, latest(Comments) as Comments by host
| fillnull value="-" 
| eval status=case(AvailableUpdates="= 0" AND NOT match(DotNetVersion,"Not!") AND match(PowershellVersion,"5.1") AND DNS="142.250.179.195" AND AllFirewalls="are disabled" AND match(Commvault,"is Installed") AND match(Snow,"is Installed") AND match(Symantec,"is Installed") AND match(Splunk,"is Installed") AND match(SNMP,"is installed") AND match(Zabbix4,"is installed") AND match(Zabbix2,"is installed") AND match(VMware,"is Installed") AND match(BackupRoute,"was found") AND match(Metric,"is - Ethernet") AND match(WindowsLicense,"Windows") AND (match(OS,"2016") OR match(OS,"2019")),"Compliant",1=1,"noncompliant")
| stats distinct_count(Compliant) as Compliant

 

 

 


It doesnt fail but reports back with a result of 0 compliant hosts. If i try to list noncompliant hosts it is also 0.

I have a AND (match(OS,"2016") OR match(OS,"2019")) in there. Is that a OK way of matching a single field to 2 values?

There is also a "AND NOT match(DotNetVersion" in the beginning. Is it okay to use both match and NOT match in the same case?

Anything im missing here?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

I mean that you could run this SPL query in Verbose mode instead of Fast/Smart mode. In Verbose mode you can check what values those fields have from selecting those at Events / Selected / Interesting fields. That didn't work on Smart or Fast mode.

Then you see if e.g. SNMP fields contains "is installed" or something else.

btw: should this

| stats distinct_count(Compliant) as Compliant

 be like

| stats sum(eval(status="Compliant")) as Compliant by host
| table host Compliant

 or something else? As I can saw you haven't any field name Compliant on your example....

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

You could run this in Verbose mode and check what those values are and see what that case expression should return.

0 Karma

michaelnorup
Communicator

Sorry not sure what you mean.

Just to be sure
IF the SNMP value is "SNMP Client is installed and running" will

match(SNMP,"is installed")

return true here?
And even if it doesnt, should it find my 10 noncompliant hosts atleast when i try to list those instead of the compliant ones?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I mean that you could run this SPL query in Verbose mode instead of Fast/Smart mode. In Verbose mode you can check what values those fields have from selecting those at Events / Selected / Interesting fields. That didn't work on Smart or Fast mode.

Then you see if e.g. SNMP fields contains "is installed" or something else.

btw: should this

| stats distinct_count(Compliant) as Compliant

 be like

| stats sum(eval(status="Compliant")) as Compliant by host
| table host Compliant

 or something else? As I can saw you haven't any field name Compliant on your example....

r. Ismo

michaelnorup
Communicator

Yea the i checked and the whole search works, and it assigns the hosts as compliant or noncompliant. It is the count in the end that doesnt work

| stats sum(eval(status="Compliant")) as Compliant by host


Changed it to this and it worked, thanks

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...