Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare same field with values for equality?

satish
Explorer
‎01-09-2023 01:19 AM
Hi Experts,
 
I would like to compare values in same field (vlan_ids) for equality based on a machine serial (hyp_serial).
 
Would like validate whether the VLAN ID's are configured on both VM's under same hyp_serial are same or not equal. 
 
There will be 2 VM's under the same serial. 
 
Could you please help me with my requirement.
 
index=lab source=unix_hyp 
| spath path=hyp_info{}{} output=LIST 
| mvexpand LIST 
| spath input=LIST 
| where category == "hyp_vlan" 
| table hyp_name hyp_serial vlan_ids 
 
Table Output:
------------------
hyp_name     hyp_serial   vlan_ids
hyp_vm1 AE12893X    5_767_285_2010
hyp_vm2     AE12893X5_356_375_2010
hyp_vm3    ZX87627J9_49_43_44_3120
hyp_vm4     ZX87627J9_49_43_44_3120
hyp_vm5 YG92412K5_767_285_2010
hyp_vm6 YG92412K 5_767
 
 
Expected Output:
-----------------
hyp_name     hyp_serial   vlan_ids      VLAN CHECK
hyp_vm1 AE12893X    5_767_285_2010    OK
hyp_vm2     AE12893X 5_356_375_2010  OK
hyp_vm3    ZX87627J 9_49_43_44_3120  OK
hyp_vm4     ZX87627J 9_49_43_44_3120  OK 
hyp_vm5 YG92412K 5_767_285_2010  MISMATCH
hyp_vm6 YG92412K 5_767             MISMATCH
Labels (5)
Tags (2)
0 Karma
Reply

satish
Explorer
‎01-09-2023 03:42 AM

@PaulPanther  Could you advise if there is any way to validate the VLAN ID's 

For the below one the mismatch value is due to missing VLAN 285 and 2010.. Is there any way to do the comparison in that way.

hyp_vm5 YG92412K 5_767_285_2010  MISMATCH
hyp_vm6 YG92412K 5_767             MISMATCH
0 Karma
Reply

PaulPanther
Builder
‎01-09-2023 03:57 AM

@satish If the VLAN_IDs are more or less static values you could work with lookups (About lookups - Splunk Documentation).

Execute following steps for it:

1. Create new empty lookup

2. Create a scheduled report to fill the lookup with valid VLAN_IDs based on your ingested data OR fill the lookup manually with values

3. Use the lookup within your search to get an overview about all VMs whose associated VLAN IDs are not valid

0 Karma
Reply

satish
Explorer
‎01-09-2023 03:59 AM

@PaulPanther

Let me try using Lookup.. Thanks Paul.

0 Karma
Reply

PaulPanther
Builder
‎01-09-2023 02:57 AM

Following search should do the trick

index=lab source=unix_hyp 
| spath path=hyp_info{}{} output=LIST 
| mvexpand LIST 
| spath input=LIST 
| where category == "hyp_vlan" 
| stats dc(hyp_name) as result by hyp_serial, vlan_ids
| eval status=case(result=2, "OK", result<2, "MISMATCH")
| fields - result

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...