Solved: Re: How to evaluate the following string as a fiel...

Hema_Nithya · ‎08-13-2023

Hi ,
I have two servers with plugin details . I want to evaluate a column as Package_installed and Package_shouldbe based on the hostname in separate column .

server2 has multiple packages I want separate row and column for each package_shouldbe and package_installed and hostname field should be same .

hostname	Plugins
server1	Plugin Output: Remote package installed : gnutls-3.6.16-5.el8_6 Should be : gnutls-3.6.16-6.el8_7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations.
server2	Plugin Output: Remote package installed : httpd-2.4.6-98.el7_9.6 Should be : httpd-2.4.6-98.el7_9.7 Remote package installed : httpd-tools-2.4.6-98.el7_9.6 Should be : httpd-tools-2.4.6-98.el7_9.7 Remote package installed : mod_session-2.4.6-98.el7_9.6 Should be : mod_session-2.4.6-98.el7_9.7 NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations.

richgalloway · ‎08-13-2023

Try this:

<<your current search>>
``` Extract installed packages ```
| rex max_match=0 field=Plugins "package installed\s*:\s*(?<installed>\S+)"
``` Extract "should be" names ```
| rex max_match=0 field=Plugins "Should be\s*:\s*(?<shouldBe>\S+)"
``` Pair installed with shouldBe ```
| eval packages=mvzip(installed, shouldBe, "#")
``` Give each pair its own event ```
| mvexpand packages
``` Break pairs apart ```
| eval packages=split(packages, "#")
| eval installed=mvindex(packages, 0), shouldBe=mvindex(packages, 1)
| table hostname installed shouldBe

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Hema_Nithya · ‎08-30-2023

I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git , if the number 2 < 3 , it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .

CI	Installed	shouldbe	server_installed_package
server1	git-2.31.1-3.el8_7	git-2.39.3-1.el8_8	git-3.40.3-1.el8_8	Not complete

richgalloway · ‎08-30-2023

A new issue should be in a new question.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-13-2023

Try this:

<<your current search>>
``` Extract installed packages ```
| rex max_match=0 field=Plugins "package installed\s*:\s*(?<installed>\S+)"
``` Extract "should be" names ```
| rex max_match=0 field=Plugins "Should be\s*:\s*(?<shouldBe>\S+)"
``` Pair installed with shouldBe ```
| eval packages=mvzip(installed, shouldBe, "#")
``` Give each pair its own event ```
| mvexpand packages
``` Break pairs apart ```
| eval packages=split(packages, "#")
| eval installed=mvindex(packages, 0), shouldBe=mvindex(packages, 1)
| table hostname installed shouldBe

---
If this reply helps you, Karma would be appreciated.

Hema_Nithya · ‎08-13-2023

It worked , thanks a lot

How to evaluate the following string as a fields

eval

field extraction

fields

regex

rex

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to evaluate the following string as a fields

Can’t make it to .conf25? Join us online!