Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Matching field values to text

dsb6
Loves-to-Learn Lots
‎11-23-2021 12:14 PM

I have a base search:
index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"

The result populates field ‘KB’ with a list of values similar to:
5007192
5008601
890830

I need to test if ‘KB’ contains one of the following:
“5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606”

If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”.

Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Labels (1)
Labels
0 Karma
Reply

dsb6
Loves-to-Learn Lots
‎11-23-2021 01:52 PM

The suggested if(in(a,b)) does return the required results however, the results include a HotFixID value for each KB value. Using the sample KB values from my post, results for HotFixID are

NotInstalled
5008601
NotInstalled

Preference would be to have one result per ComputerName with HotFixID value of matched KB value or NotInstalled.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-24-2021 03:41 PM

Not sure I understand - the example search shows

bowesmana_0-1637797190119.png

Are you getting something different?

0 Karma
Reply

dsb6
Loves-to-Learn Lots
‎12-07-2021 02:05 PM

Thanks for your reply bowesmana. I was not clear on the desired output.

EventCode=19 will return multiple results for hundreds of ComputerName matches. The desired output is one line per ComputerName where HotFixID is either the matched KB or 'NotInstalled'.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2021 05:43 PM

The two solutions I mentioned earlier - do neither of those give you what you want. If not, what is wrong with them.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2021 01:10 PM

Alternatively if you want these numbers to be defined in an external lookup, so you can edit the lookup to maintain the hot fix ids, then just make a CSV with a single field 'HotFixID' with the list of IDs you want to match then use this logic

index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"
| lookup your_list_of_hotfix_ids.csv HotFixID as KB OUTPUIT HotFixID as Found
| eval HotFixID=if(isnull(Found), "Not Installed", KB)

Hope this helps

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2021 01:05 PM

Use the if(in(a,b)) style as this

| makeresults
| eval KB=split("5007192,5008601,890830", ",")
| mvexpand KB
| eval HotFixID=if(in(KB, 5008601,5008602,5008603,5008604,5008605,5008606), KB, "Not Installed")

Last line is what you want

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...