Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare the values with the time and host?

Anud
Path Finder
‎04-24-2022 06:01 AM

Team,

I am having a query which would result as below.

_time Host Name version
3/2/2022  15:22:04 PM 3 car 248
3/1/2022  15:21:04 PM 3 car 246
3/1/2022  15:20:07PM 2 car 246
3/1/2022  15:20:03 PM 3 bus 600
3/1/2022  15:19:02 PM 2 bus 600
2/1/2022  15:20:03 PM 3 Toy 600
2/1/2022  15:19:02 PM 2 Toy 248
2/1/2022  14:19:02 PM 2 Toy 248

 

After that i need final output like below.

_time Host Name version Final
2/1/2022  15:20:03 PM 3 Toy 600 Not matching
3/1/2022  15:20:03 PM 3 bus 600 Matched
3/1/2022  15:21:04 PM 3 car 246 Matched
3/2/2022  15:22:04 PM 3 car 248 Not matching

 

 I am not sure to compare between columns itself. Could someone please help me out here.

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-24-2022 11:13 AM 
| eventstats dc(Host) as hosts by Name version
| stats latest(_time) as _time latest(Host) as Host by Name version hosts
| eval Final=if(hosts = 2, "Matched","Not matching")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-24-2022 06:55 AM

What are your criteria for matching the columns?

0 Karma
Reply
Solved! Jump to solution

Anud
Path Finder
‎04-24-2022 07:58 AM

Host is the criteria.

We need to check host latest and earliest time in a day... accordingly thier names and version have to compare.

Thankyou

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-24-2022 09:33 AM

Why is bus/600 matched when there is a host with a different number on the same day?

Why is car/248 not matched when there isn't another entry for the same day?

0 Karma
Reply
Solved! Jump to solution

Anud
Path Finder
‎04-24-2022 10:30 AM

Here target is to check the version for the host and their names.

So we have only 2hosts...final version is compared to 2and 3hosts with their same names.

Sometimes it takes to another day,so we need compare pervious day host latest time.

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-24-2022 11:13 AM 
| eventstats dc(Host) as hosts by Name version
| stats latest(_time) as _time latest(Host) as Host by Name version hosts
| eval Final=if(hosts = 2, "Matched","Not matching")
0 Karma
Reply
Solved! Jump to solution

Anud
Path Finder
‎05-01-2022 11:58 PM

Thank you !!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...