Splunk Search

How to find the match in the column data and mark it as completed?

Hema_Nithya
Explorer

There are two searches with CI_Name as the common field . I have output and want compare the two columns installed and Server_Installed_Package based on CI_Name as common , if both are common mark it as "Completed" in another column. If there is no match mark it as Not completed.

first search output:

 

CI_Name installed shouldBe match
Server1 nss-3.44.0-7.el6_10 nss-3.44.0-13.el6_10  
Server1

nss-devel-3.44.0-7.el6_10

 

 

nss-devel-3.44.0-13.el6_10  
Server1 nss-sysinit-3.44.0-7.el6_10 nss-sysinit-3.44.0-13.el6_10  

 

Second search output :

CI_Name Server_Installed_Package
Server1 libgdata-0.6.4-2.el6.x86_64
Server1 util-linux-ng-2.17.2-12.28.el6_9.2.x86_64
Server1 rt73usb-firmware-1.8-7.el6.noarch
Server1 sssd-1.13.3-60.el6_10.2.x86_64

 

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For the first search, you can check whether the columns match like this.

| eval match=if(installed=shouldBe,"Complete","Not complete")

It is unclear what the second search is for.

0 Karma

Hema_Nithya
Explorer

I want to  match with second search field Server_Installed_Package abd shouldbe

| eval match=if(Server_Installed_Package=shouldBe,"Complete","Not complete")

Server_Installed_Package from second query 
shouldbe from first query 

Common field between two search query is CI_Name

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<first search>
| append [<second search>]
| eventstats values(Server_Installed_Package) as Server_Installed_Package
| where isnotnull(installed)
| eval match=if(isnotnull(mvfind(Server_Installed_Package, shouldBe)), "Complete", "Not complete")
0 Karma

Hema_Nithya
Explorer

I tried the append , the final output display all the packages in "Server_Installed_Package.  I want only the package name as in "shouldBe"


CI_NameinstalledshouldBeServer_Installed_PackageVul_Status
server1nss-3.44.0-7.el6_10nss-3.44.0-13.el6_10

nss-3.44.0-13.el6_10

Complete

nss-devel-3.44.0-13.el6_10

nss-softokn-3.44.0-6.el6_10

nss-softokn-devel-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10.i686

nss-softokn-freebl-devel-3.44.0-6.el6_10

nss-sysinit-3.44.0-13.el6_10

nss-tools-3.44.0-13.el6_10

nss-util-3.44.0-1.el6_10

nss-util-devel-3.44.0-1.el6_10

nss_compat_ossl-0.9.6-2.el6_7

     
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Add this line

| fields - Server_Installed_Package
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...