Re: Search Query for comparing OS from live search...

harshsri21 · ‎05-17-2017

Hi All,

I need to create a report for comparing OS versions of hosts from live search and from the lookup. Trying to explain as below:

Source 1 : Live search like index ="ip-win-evt" and gives fields hosts and WindowsVersion

hosts WindowsVersion
Asset1 2003
Asset2 2008
Asset3 2012

Source2 : Lookup which contains fields Assets and Host_Operating_System

Assets Host_Operating_System
Asset1 2008
Asset2 2003
Asset3 2012

Desired Output : Comparison for OS from WindowsVersion and Host_Operating_System for the hosts

Assets WindowsVersion Host_Operating_System Difference
Asset1 2003 2008 Yes
Asset2 2008 2003 Yes
Asset3 2012 2012 No

Thanks in advance.

rafaelsalazar · ‎06-29-2017

Well there are a couple of solutions for this, at the end the strategy is doing a lookup, and then an eval applied.

But the better one is to configure an automatic lookup for this to enrich the data with the Host_Operating_System field from the lookup and so when you search it it already comes like this:
Assets, WindowsVersion, Host_Operating_System
Asset1, 2003, 2008
Asset2, 2008, 2003
Asset3, 2012, 2012

And then you just have to do and eval if(WindowsVersion=Host_Operating_System, "Yes", "No")
Check this link on how to create an automatic lookup

If you dont want to alter the index's harmony, then do a lookup on the asset and an eval
index=foo sourcetype=bar | lookup fooAssets.csv Assets OUTPUT Host_Operating_System | eval Difference=if(WindowsVersion=Host_Operating_System, "Yes", "No") | table _time, Assets, WindowsVersion, Host_Operating_System, Difference, _raw

Regards,
Rafael.

Search Query for comparing OS from live search and from lookup and showing the differences

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?