Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search Query for comparing OS from live search and from lookup and showing the differences

harshsri21
New Member
‎05-17-2017 08:09 AM

Hi All,

I need to create a report for comparing OS versions of hosts from live search and from the lookup. Trying to explain as below:

Source 1 : Live search like index ="ip-win-evt" and gives fields hosts and WindowsVersion

hosts WindowsVersion
Asset1 2003
Asset2 2008
Asset3 2012

Source2 : Lookup which contains fields Assets and Host_Operating_System

Assets Host_Operating_System
Asset1 2008
Asset2 2003
Asset3 2012

Desired Output : Comparison for OS from WindowsVersion and Host_Operating_System for the hosts

Assets WindowsVersion Host_Operating_System Difference
Asset1 2003 2008 Yes
Asset2 2008 2003 Yes
Asset3 2012 2012 No

Thanks in advance.

Tags (2)
0 Karma
Reply

rafaelsalazar
Path Finder
‎06-29-2017 08:17 AM

Well there are a couple of solutions for this, at the end the strategy is doing a lookup, and then an eval applied.

But the better one is to configure an automatic lookup for this to enrich the data with the Host_Operating_System field from the lookup and so when you search it it already comes like this:
Assets, WindowsVersion, Host_Operating_System
Asset1, 2003, 2008
Asset2, 2008, 2003
Asset3, 2012, 2012

And then you just have to do and eval if(WindowsVersion=Host_Operating_System, "Yes", "No")
Check this link on how to create an automatic lookup

If you dont want to alter the index's harmony, then do a lookup on the asset and an eval
index=foo sourcetype=bar | lookup fooAssets.csv Assets OUTPUT Host_Operating_System | eval Difference=if(WindowsVersion=Host_Operating_System, "Yes", "No") | table _time, Assets, WindowsVersion, Host_Operating_System, Difference, _raw

Regards,
Rafael.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...