Splunk Search

Help combining results from different searches, append vs. multisearch

psmp
Explorer

Moderator Note: the below was originally posted as an Answer on an old question, but being it's own question it has been split out accordingly

index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* DisplayName="anysoftware*" host=prod1*  | dedup host, DisplayName | stats count(host) as #_of_Hosts_with_package by DisplayName, DisplayVersion | append [search index=testindex sourcetype=host source="testindex://hostSoftware"  host=prod1*| table host | search NOT [search iindex=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* | search "DisplayName"="anysoftware*" | dedup host | table host] | rename host as Hosts_Missing_software | stats count(Hosts_Missing_software) as #_Hosts_Missing_LeostreamAgent, list(Hosts_Missing_software) as Hosts_Missing_software]

The append do not yeild all of the results due to maxout limit. So moving to multisearch.

I am trying to do same search with multisearch but not working. Any help is much appreciated. TIA

| multisearch [search index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1*  | fields hos t| rename host as Hosts_raw_List | eval type="search1" ][index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* Name="Anysoftware*" | fields host Name Version | rename host as hostwithpack | eval type="search2" ] | eval result=search1-search2.

my search1 results 12 hosts. (total number of hosts available)
search 2 results 11 hosts (Hosts with software installed)

I am looking for results like in table:

"Name"    |  Version  |  #ofhosts withsoftware |     #of hosts without software |     list of hosts with no software"

can anyone pls help!
TIA

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

why not just

index=testindex sourcetype=host source="testindex://hostSoftware"  host=prod1*  
| eval FoundSoftware=if(DisplayName="anysoftware*",1,0)
| chart max(FoundSoftware) by host DisplayName

That will give you a chart with 1's for each host for each software that was found, and 0 for each software not found on that host.

You can switch host and DisplayName if you prefer the opposite orientation.

Then you can use the above results to calculate the two pieces of information that you want.

It you want to untable the results into one record per host per DisplayName, then this command will achieve that.

| untable host DisplayName FoundSoftware
0 Karma

acharlieh
Influencer

In moving this post, a comment providing more details from @psmp was lost:

Thanks for the reply.
index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* | stats list(host)

This Query Yields 5 hosts.
Host 1
Host2
Host3
Host4
Host5

index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* packagename="Mysoftware" | stats count(host) by packagename packageversion

host packageName packageVersion
Host1 Mysoftware 1.0
Host3 Mysoftware 1.1
Host5 Mysoftware 1.0

I am looking for a Query that Yields below report:

PackageName PackageVersion Total_hosts_with_pkg Total_hosts_without ListOfHostMissingPack

Mysoftware 1.0 2 2 Host2
Mysoftware 1.1 1 Host4

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...