How to add another column which shows TRUE/False b...

vinaykataaig · ‎08-09-2019

HI all,
Could anyone help me to add another column which shows true/false based on values on the other 3 rows.
When all the three columns says "Not Patched" I want that row to be defined as False at the end of the table the same way when the three columns says "Patched" i want that to show as True. Below is my query.

index="oswinsec" sourcetype="windowsupdatelog" | search "*Patch Deployment*" AND "*AGENT_INSTALLING_SUCCEEDED*" 
| rex field=_raw "^(?:[^:\n]*:){9}\s+(?P.+)" 
| eval servers = Upper(mvindex(split(host,"."),-0))
| eval start=strptime(Time, "%Y-%m-%d %H:%M:%S.%N") 
| eval day = strftime(start, "%a") 
| eval month = Upper(date_month) 
| replace "*KB*" WITH "Patched" IN ApplicablePatch
| stats values(count) as count values(ApplicablePatch) as ApplicablePatch by servers month | mvexpand servers 
| chart values(ApplicablePatch) as InstalledPatch by servers | fillnull value="Not Patched"

renjith_nair · ‎08-10-2019

@vinaykataaig,

Since the field names are dynamic for each month you run, try adding this to your current search

"your current search"|eval Result="True"
|foreach InstalledPatch* [eval Result=if(<<FIELD>>=="Not Patched","False",Result)]

Happy Splunking!

How to add another column which shows TRUE/False based on row values

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes