Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the match in the column data and mark it as completed?

Hema_Nithya
Explorer
‎08-13-2023 11:42 PM

There are two searches with CI_Name as the common field . I have output and want compare the two columns installed and Server_Installed_Package based on CI_Name as common , if both are common mark it as "Completed" in another column. If there is no match mark it as Not completed.

first search output:

 

CI_Name installed shouldBe match
Server1 nss-3.44.0-7.el6_10 nss-3.44.0-13.el6_10  
Server1

nss-devel-3.44.0-7.el6_10

 

 

 nss-devel-3.44.0-13.el6_10  
Server1 nss-sysinit-3.44.0-7.el6_10 nss-sysinit-3.44.0-13.el6_10  

 

Second search output :

CI_Name Server_Installed_Package
Server1 libgdata-0.6.4-2.el6.x86_64
Server1 util-linux-ng-2.17.2-12.28.el6_9.2.x86_64
Server1 rt73usb-firmware-1.8-7.el6.noarch
Server1 sssd-1.13.3-60.el6_10.2.x86_64

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 12:50 AM

For the first search, you can check whether the columns match like this.

| eval match=if(installed=shouldBe,"Complete","Not complete")

It is unclear what the second search is for.

0 Karma
Reply

Hema_Nithya
Explorer
‎08-14-2023 12:56 AM

I want to  match with second search field Server_Installed_Package abd shouldbe

| eval match=if(Server_Installed_Package=shouldBe,"Complete","Not complete")

Server_Installed_Package from second query 
shouldbe from first query 

Common field between two search query is CI_Name

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 01:16 AM 
<first search>
| append [<second search>]
| eventstats values(Server_Installed_Package) as Server_Installed_Package
| where isnotnull(installed)
| eval match=if(isnotnull(mvfind(Server_Installed_Package, shouldBe)), "Complete", "Not complete")
0 Karma
Reply

Hema_Nithya
Explorer
‎08-14-2023 04:36 AM

I tried the append , the final output display all the packages in "Server_Installed_Package.  I want only the package name as in "shouldBe"


CI_NameinstalledshouldBeServer_Installed_PackageVul_Status
server1nss-3.44.0-7.el6_10nss-3.44.0-13.el6_10

nss-3.44.0-13.el6_10

Complete

nss-devel-3.44.0-13.el6_10

nss-softokn-3.44.0-6.el6_10

nss-softokn-devel-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10.i686

nss-softokn-freebl-devel-3.44.0-6.el6_10

nss-sysinit-3.44.0-13.el6_10

nss-tools-3.44.0-13.el6_10

nss-util-3.44.0-1.el6_10

nss-util-devel-3.44.0-1.el6_10

nss_compat_ossl-0.9.6-2.el6_7

     
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 04:44 AM

Add this line

| fields - Server_Installed_Package
0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top