Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Matching field values to text

dsb6
Loves-to-Learn Lots
‎11-23-2021 12:14 PM

I have a base search:
index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"

The result populates field ‘KB’ with a list of values similar to:
5007192
5008601
890830

I need to test if ‘KB’ contains one of the following:
“5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606”

If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”.

Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Labels (1)
Labels
0 Karma
Reply

dsb6
Loves-to-Learn Lots
‎11-23-2021 01:52 PM

The suggested if(in(a,b)) does return the required results however, the results include a HotFixID value for each KB value. Using the sample KB values from my post, results for HotFixID are

NotInstalled
5008601
NotInstalled

Preference would be to have one result per ComputerName with HotFixID value of matched KB value or NotInstalled.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-24-2021 03:41 PM

Not sure I understand - the example search shows

bowesmana_0-1637797190119.png

Are you getting something different?

0 Karma
Reply

dsb6
Loves-to-Learn Lots
‎12-07-2021 02:05 PM

Thanks for your reply bowesmana. I was not clear on the desired output.

EventCode=19 will return multiple results for hundreds of ComputerName matches. The desired output is one line per ComputerName where HotFixID is either the matched KB or 'NotInstalled'.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2021 05:43 PM

The two solutions I mentioned earlier - do neither of those give you what you want. If not, what is wrong with them.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2021 01:10 PM

Alternatively if you want these numbers to be defined in an external lookup, so you can edit the lookup to maintain the hot fix ids, then just make a CSV with a single field 'HotFixID' with the list of IDs you want to match then use this logic

index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"
| lookup your_list_of_hotfix_ids.csv HotFixID as KB OUTPUIT HotFixID as Found
| eval HotFixID=if(isnull(Found), "Not Installed", KB)

Hope this helps

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2021 01:05 PM

Use the if(in(a,b)) style as this

| makeresults
| eval KB=split("5007192,5008601,890830", ",")
| mvexpand KB
| eval HotFixID=if(in(KB, 5008601,5008602,5008603,5008604,5008605,5008606), KB, "Not Installed")

Last line is what you want

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...