Im working on a search that essentially would take the field results from one search where I'm looking for a specific
PBM ("Problem Number") and the
RMTMS ("Reporting Serial Numbers") associated with it, and comparing it across another search where the update history of various machines are listed. In this other data I extract the "Bundle" and the serial number
MTMS , so that I can compare the
RMTMS fields for equality, while appending the Bundle Information to it. Essentially my end result would be a table that lists the Serial Number of each machine that has reported that specific problem number, as well as what Code level it is on.
Here is what i have so far, which is pretty much just the two searches, however I haven't been able to compare the two fields, I have used join(the current search), append, and append pipe, however I might be using them incorrectly.
Thank you in advance for any help.
index=* "PMB#1" |rex field=storageFacilityMTMS "(?<RMTMS>2123-900\S+)" | stats values(PMB) values(RMTMS) as RMTMS | join [ search index=* "Code Levels" " Package Level" AND "Sea.ha" | rex "(?:\n|.)\s+(?<BU1>(?:8+\.\d+\.\d+\.\d+))" | rex "(?m)Package:\s+ha(?:\n|.)*?VRMF:\s+(?<BU2>87\S+)" | rex "(?m)Package:\s+sfi(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)" | rex "(?m)Package:\s+se(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)" | eval Bundle=0 | foreach BU* [ eval Bundle=max(largest_BU, BU1,BU2, BU3 ) ] | rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MTMS:(?<MT>\s+\d+\-\d+\S\S+)" | eval MTMS=coalesce(MT,RMTMS) | rex "(?m)Package:\s+SEA.ha(?:\n|.)*?Package Level:\s+(?<LIC>\d+\.\d+\.\d+\.\d+)" | rex "(?m)Package:\s+SEA.ha.*?(?<MTMS>\s+\d+\-\d+\S\S+)" | eval MTMS=coalesce(MT,MS)| stats list(MTMS) as MTMS , list(Bundle) as Bundle ] |makemv RMTMS|mvexpand RMTMS | stats list(MTMS) as MTMS values(RMTMS) as RMTMS , list(Bundle) as Bundle,| makemv MTMS| mvexpand MTMS| stats list(RMTMS) as MTMS , list(Bundle) as Bundle
Search 1 (before join command)
PMB RMTMS #1 2123-900-1 2123-900-2 2123-900-3
Search 2 (after the join command in search)
MTMS Bundle 2123-900-1 87.1 2123-900-2 87.2 2123-900-7 87.3 2123-900-8 87.4
Combined Results ( matched RMTMS and MTMTS)
PMB Matched_MTMS's Bundle #1 2123-900-1 87.1 2123-900-2 87.2
In a nutshell im running two separate searches where I'm trying to match a field from each to create a single field ( RMTMS, MTMS) while adding the other fields to it ( PMB, Bundle).
If I'm understanding this correctly, is this what you are looking for:
You do a search of problem tickets that have individual ID numbers: search PBM
The results are logs for the problem tickets with the various RMTMS values. The RMTMS values are the serial numbers of the machines associated to the problem tickets.
You then want to take the serial numbers and search your asset inventory to see what the patch level is and compare the systems to see if they are equivalent?
So for instance, I've got problem ID PBM 8675309. The RMTMS values that come back for are serial numbers 00042, 01337, and 01010. I will then search my asset inventory to see if those three systems are all running NT 4 Patch 6 and IIS 3.12?
So then my end table would be:
00042 - NT 4 P 6 - IIS 3.12
01337 - OS/S IIS - IBM 2
01010 - NT 4 P 6 - IIS 3.11
Is that correct?
You need to explain exactly how the 2 datasets relate and what you are trying correlate. The best way to do that is go give a minimalist set of sample events and then a mockup of the desired output. If you do this, I believe somebody will be able to help you. As it is, I have no idea what you are trying to do but I am certain that your existing search is WAY over-complicated.