Splunk Search

How to compare fields across multiple sourcetypes

Path Finder

Hi all,
Im working on a search that essentially would take the field results from one search where I'm looking for a specific PBM ("Problem Number") and the RMTMS ("Reporting Serial Numbers") associated with it, and comparing it across another search where the update history of various machines are listed. In this other data I extract the "Bundle" and the serial number MTMS , so that I can compare the MTMS and RMTMS fields for equality, while appending the Bundle Information to it. Essentially my end result would be a table that lists the Serial Number of each machine that has reported that specific problem number, as well as what Code level it is on.
Here is what i have so far, which is pretty much just the two searches, however I haven't been able to compare the two fields, I have used join(the current search), append, and append pipe, however I might be using them incorrectly.
Thank you in advance for any help.

index=* "PMB#1" 
|rex field=storageFacilityMTMS "(?<RMTMS>2123-900\S+)" 
| stats values(PMB)  values(RMTMS) as RMTMS
| join [ search index=*  "Code Levels" " Package Level" AND "Sea.ha" 
| rex "(?:\n|.)\s+(?<BU1>(?:8[7]+\.\d+\.\d+\.\d+))"
| rex "(?m)Package:\s+ha(?:\n|.)*?VRMF:\s+(?<BU2>87\S+)"
| rex "(?m)Package:\s+sfi(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| rex "(?m)Package:\s+se(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| eval Bundle=0 | foreach BU* [ eval Bundle=max(largest_BU, BU1,BU2, BU3 ) ]
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MTMS:(?<MT>\s+\d+\-\d+\S\S+)"  
| eval MTMS=coalesce(MT,RMTMS) 
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?Package Level:\s+(?<LIC>\d+\.\d+\.\d+\.\d+)" 
| rex "(?m)Package:\s+SEA.ha.*?(?<MTMS>\s+\d+\-\d+\S\S+)" 
| eval MTMS=coalesce(MT,MS)| stats list(MTMS) as MTMS , list(Bundle) as Bundle ] 
|makemv RMTMS|mvexpand RMTMS | stats   list(MTMS) as MTMS values(RMTMS) as RMTMS , list(Bundle) as Bundle,| makemv MTMS| mvexpand MTMS| stats list(RMTMS) as MTMS , list(Bundle) as Bundle

Search 1 (before join command)

PMB       RMTMS
#1        2123-900-1
          2123-900-2
          2123-900-3

Search 2 (after the join command in search)

MTMS            Bundle
2123-900-1       87.1
2123-900-2       87.2
2123-900-7       87.3
2123-900-8       87.4

Combined Results ( matched RMTMS and MTMTS)

PMB    Matched_MTMS's        Bundle
#1        2123-900-1           87.1
          2123-900-2           87.2

In a nutshell im running two separate searches where I'm trying to match a field from each to create a single field ( RMTMS, MTMS) while adding the other fields to it ( PMB, Bundle).

0 Karma

Path Finder

If I'm understanding this correctly, is this what you are looking for:

You do a search of problem tickets that have individual ID numbers: search PBM

The results are logs for the problem tickets with the various RMTMS values. The RMTMS values are the serial numbers of the machines associated to the problem tickets.

You then want to take the serial numbers and search your asset inventory to see what the patch level is and compare the systems to see if they are equivalent?

So for instance, I've got problem ID PBM 8675309. The RMTMS values that come back for are serial numbers 00042, 01337, and 01010. I will then search my asset inventory to see if those three systems are all running NT 4 Patch 6 and IIS 3.12?

So then my end table would be:
00042 - NT 4 P 6 - IIS 3.12
01337 - OS/S IIS - IBM 2
01010 - NT 4 P 6 - IIS 3.11

Is that correct?

0 Karma

Esteemed Legend

You need to explain exactly how the 2 datasets relate and what you are trying correlate. The best way to do that is go give a minimalist set of sample events and then a mockup of the desired output. If you do this, I believe somebody will be able to help you. As it is, I have no idea what you are trying to do but I am certain that your existing search is WAY over-complicated.

0 Karma

Path Finder

Yes your are right, thank you for pointing that out, I have revised it and hopefully it makes more sense now.

0 Karma

Esteemed Legend

I still do not get it at all. Explain it like this:
Search 1:

blah blah1

Search 2:

blah blah 2

Results 1:

boo-hoo 1

Results 2:

boo-hoo 2

Desired Results:

foo bar success
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!