Splunk Search

How to find the match in the column data and mark it as completed?

Hema_Nithya
Explorer

There are two searches with CI_Name as the common field . I have output and want compare the two columns installed and Server_Installed_Package based on CI_Name as common , if both are common mark it as "Completed" in another column. If there is no match mark it as Not completed.

first search output:

 

CI_Name installed shouldBe match
Server1 nss-3.44.0-7.el6_10 nss-3.44.0-13.el6_10  
Server1

nss-devel-3.44.0-7.el6_10

 

 

nss-devel-3.44.0-13.el6_10  
Server1 nss-sysinit-3.44.0-7.el6_10 nss-sysinit-3.44.0-13.el6_10  

 

Second search output :

CI_Name Server_Installed_Package
Server1 libgdata-0.6.4-2.el6.x86_64
Server1 util-linux-ng-2.17.2-12.28.el6_9.2.x86_64
Server1 rt73usb-firmware-1.8-7.el6.noarch
Server1 sssd-1.13.3-60.el6_10.2.x86_64

 

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For the first search, you can check whether the columns match like this.

| eval match=if(installed=shouldBe,"Complete","Not complete")

It is unclear what the second search is for.

0 Karma

Hema_Nithya
Explorer

I want to  match with second search field Server_Installed_Package abd shouldbe

| eval match=if(Server_Installed_Package=shouldBe,"Complete","Not complete")

Server_Installed_Package from second query 
shouldbe from first query 

Common field between two search query is CI_Name

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<first search>
| append [<second search>]
| eventstats values(Server_Installed_Package) as Server_Installed_Package
| where isnotnull(installed)
| eval match=if(isnotnull(mvfind(Server_Installed_Package, shouldBe)), "Complete", "Not complete")
0 Karma

Hema_Nithya
Explorer

I tried the append , the final output display all the packages in "Server_Installed_Package.  I want only the package name as in "shouldBe"


CI_NameinstalledshouldBeServer_Installed_PackageVul_Status
server1nss-3.44.0-7.el6_10nss-3.44.0-13.el6_10

nss-3.44.0-13.el6_10

Complete

nss-devel-3.44.0-13.el6_10

nss-softokn-3.44.0-6.el6_10

nss-softokn-devel-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10.i686

nss-softokn-freebl-devel-3.44.0-6.el6_10

nss-sysinit-3.44.0-13.el6_10

nss-tools-3.44.0-13.el6_10

nss-util-3.44.0-1.el6_10

nss-util-devel-3.44.0-1.el6_10

nss_compat_ossl-0.9.6-2.el6_7

     
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Add this line

| fields - Server_Installed_Package
0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...