@PaulPanther Could you advise if there is any way to validate the VLAN ID's
For the below one the mismatch value is due to missing VLAN 285 and 2010.. Is there any way to do the comparison in that way.
@satish If the VLAN_IDs are more or less static values you could work with lookups (About lookups - Splunk Documentation).
Execute following steps for it:
1. Create new empty lookup
2. Create a scheduled report to fill the lookup with valid VLAN_IDs based on your ingested data OR fill the lookup manually with values
3. Use the lookup within your search to get an overview about all VMs whose associated VLAN IDs are not valid
Let me try using Lookup.. Thanks Paul.
Following search should do the trick
index=lab source=unix_hyp
| spath path=hyp_info{}{} output=LIST
| mvexpand LIST
| spath input=LIST
| where category == "hyp_vlan"
| stats dc(hyp_name) as result by hyp_serial, vlan_ids
| eval status=case(result=2, "OK", result<2, "MISMATCH")
| fields - result