Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to evaluate the following string as a fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hema_Nithya
Explorer
08-13-2023
11:59 AM
Hi ,
I have two servers with plugin details . I want to evaluate a column as Package_installed and Package_shouldbe based on the hostname in separate column .
server2 has multiple packages I want separate row and column for each package_shouldbe and package_installed and hostname field should be same .
| hostname | Plugins |
| server1 | Plugin Output: Remote package installed : gnutls-3.6.16-5.el8_6 Should be : gnutls-3.6.16-6.el8_7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations. |
| server2 | Plugin Output: Remote package installed : httpd-2.4.6-98.el7_9.6 Should be : httpd-2.4.6-98.el7_9.7 Remote package installed : httpd-tools-2.4.6-98.el7_9.6 Should be : httpd-tools-2.4.6-98.el7_9.7 Remote package installed : mod_session-2.4.6-98.el7_9.6 Should be : mod_session-2.4.6-98.el7_9.7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations. |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-13-2023
12:40 PM
Try this:
<<your current search>>
``` Extract installed packages ```
| rex max_match=0 field=Plugins "package installed\s*:\s*(?<installed>\S+)"
``` Extract "should be" names ```
| rex max_match=0 field=Plugins "Should be\s*:\s*(?<shouldBe>\S+)"
``` Pair installed with shouldBe ```
| eval packages=mvzip(installed, shouldBe, "#")
``` Give each pair its own event ```
| mvexpand packages
``` Break pairs apart ```
| eval packages=split(packages, "#")
| eval installed=mvindex(packages, 0), shouldBe=mvindex(packages, 1)
| table hostname installed shouldBe
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hema_Nithya
Explorer
08-30-2023
11:33 AM
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git , if the number 2 < 3 , it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .
| CI | Installed | shouldbe | server_installed_package | |
| server1 | git-2.31.1-3.el8_7 | git-2.39.3-1.el8_8 | git-3.40.3-1.el8_8 | Not complete |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-30-2023
01:36 PM
A new issue should be in a new question.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-13-2023
12:40 PM
Try this:
<<your current search>>
``` Extract installed packages ```
| rex max_match=0 field=Plugins "package installed\s*:\s*(?<installed>\S+)"
``` Extract "should be" names ```
| rex max_match=0 field=Plugins "Should be\s*:\s*(?<shouldBe>\S+)"
``` Pair installed with shouldBe ```
| eval packages=mvzip(installed, shouldBe, "#")
``` Give each pair its own event ```
| mvexpand packages
``` Break pairs apart ```
| eval packages=split(packages, "#")
| eval installed=mvindex(packages, 0), shouldBe=mvindex(packages, 1)
| table hostname installed shouldBe
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hema_Nithya
Explorer
08-13-2023
08:51 PM
It worked , thanks a lot
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
