Splunk Search

Matching field values to text

dsb6
Loves-to-Learn Lots

I have a base search:
index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"

The result populates field ‘KB’ with a list of values similar to:
5007192
5008601
890830

I need to test if ‘KB’ contains one of the following:
“5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606”

If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”.

Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Labels (1)
0 Karma

dsb6
Loves-to-Learn Lots

The suggested if(in(a,b)) does return the required results however, the results include a HotFixID value for each KB value. Using the sample KB values from my post, results for HotFixID are

NotInstalled
5008601
NotInstalled

Preference would be to have one result per ComputerName with HotFixID value of matched KB value or NotInstalled.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not sure I understand - the example search shows

bowesmana_0-1637797190119.png

Are you getting something different?

0 Karma

dsb6
Loves-to-Learn Lots

Thanks for your reply bowesmana. I was not clear on the desired output.

EventCode=19 will return multiple results for hundreds of ComputerName matches. The desired output is one line per ComputerName where HotFixID is either the matched KB or 'NotInstalled'.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The two solutions I mentioned earlier - do neither of those give you what you want. If not, what is wrong with them.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Alternatively if you want these numbers to be defined in an external lookup, so you can edit the lookup to maintain the hot fix ids, then just make a CSV with a single field 'HotFixID' with the list of IDs you want to match then use this logic

index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com
| rex "\WKB(?<KB>.\d+)\W"
| lookup your_list_of_hotfix_ids.csv HotFixID as KB OUTPUIT HotFixID as Found
| eval HotFixID=if(isnull(Found), "Not Installed", KB)

Hope this helps

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use the if(in(a,b)) style as this

| makeresults
| eval KB=split("5007192,5008601,890830", ",")
| mvexpand KB
| eval HotFixID=if(in(KB, 5008601,5008602,5008603,5008604,5008605,5008606), KB, "Not Installed")

Last line is what you want

 

0 Karma