Splunk Search

How to find the match in the column data and mark it as completed?

Hema_Nithya
Explorer

There are two searches with CI_Name as the common field . I have output and want compare the two columns installed and Server_Installed_Package based on CI_Name as common , if both are common mark it as "Completed" in another column. If there is no match mark it as Not completed.

first search output:

 

CI_Name installed shouldBe match
Server1 nss-3.44.0-7.el6_10 nss-3.44.0-13.el6_10  
Server1

nss-devel-3.44.0-7.el6_10

 

 

nss-devel-3.44.0-13.el6_10  
Server1 nss-sysinit-3.44.0-7.el6_10 nss-sysinit-3.44.0-13.el6_10  

 

Second search output :

CI_Name Server_Installed_Package
Server1 libgdata-0.6.4-2.el6.x86_64
Server1 util-linux-ng-2.17.2-12.28.el6_9.2.x86_64
Server1 rt73usb-firmware-1.8-7.el6.noarch
Server1 sssd-1.13.3-60.el6_10.2.x86_64

 

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For the first search, you can check whether the columns match like this.

| eval match=if(installed=shouldBe,"Complete","Not complete")

It is unclear what the second search is for.

0 Karma

Hema_Nithya
Explorer

I want to  match with second search field Server_Installed_Package abd shouldbe

| eval match=if(Server_Installed_Package=shouldBe,"Complete","Not complete")

Server_Installed_Package from second query 
shouldbe from first query 

Common field between two search query is CI_Name

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<first search>
| append [<second search>]
| eventstats values(Server_Installed_Package) as Server_Installed_Package
| where isnotnull(installed)
| eval match=if(isnotnull(mvfind(Server_Installed_Package, shouldBe)), "Complete", "Not complete")
0 Karma

Hema_Nithya
Explorer

I tried the append , the final output display all the packages in "Server_Installed_Package.  I want only the package name as in "shouldBe"


CI_NameinstalledshouldBeServer_Installed_PackageVul_Status
server1nss-3.44.0-7.el6_10nss-3.44.0-13.el6_10

nss-3.44.0-13.el6_10

Complete

nss-devel-3.44.0-13.el6_10

nss-softokn-3.44.0-6.el6_10

nss-softokn-devel-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10.i686

nss-softokn-freebl-devel-3.44.0-6.el6_10

nss-sysinit-3.44.0-13.el6_10

nss-tools-3.44.0-13.el6_10

nss-util-3.44.0-1.el6_10

nss-util-devel-3.44.0-1.el6_10

nss_compat_ossl-0.9.6-2.el6_7

     
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Add this line

| fields - Server_Installed_Package
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...