Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help correct eval command

olawalePS
Path Finder
‎11-06-2023 07:29 AM

Please help me correct the command below. It keeps returning all the devices as no even though the app is installed.

index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| rename computerGeneral.lastContactTime AS lastContactTime
| eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval sixtyDaysAgo = relative_time(now(), "-60d") 
| where timestamp>sixtyDaysAgo
| eval installed=if(computer_meta.serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| fields computer_meta.serial], "Yes", "No")
| table computer_meta.name, installed
Labels (1)
Labels
Tags (1)
0 Karma
Reply

olawalePS
Path Finder
‎11-06-2023 09:00 AM

The results remained the same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-06-2023 09:06 AM

Hi @olawalePS ,

are you sure about the time format?

could you share a sample of your logs?

Ciao.

Giuseppe

0 Karma
Reply

olawalePS
Path Finder
‎11-06-2023 09:17 AM

So I have attached to images

Computers that have checked-in in less than 60 days (274)

Screenshot 2023-11-06 at 18.12.53.png



The subset of that that has CBC installed (270)

Screenshot 2023-11-06 at 18.15.18.png

 

What I want now is a query to identify the 4 devices that do not have the app installed

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-06-2023 11:00 PM

Hi @olawalePS ,

the issue is probably related to the time format: you have different formats in yout data: 1,2 or 3 digits in milliseconds, probably your eval command correctly extracts data only when it matchjes the correct format.

You sould try to normalize your data, sometimes like this:

| eval 
   timestamp1=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%NZ"),
   timestamp2=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%2NZ"),   
   timestamp2=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%3NZ")
| eval timestamp=coalesce(timestamp1,timestamp2,timestamp3)

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-06-2023 07:46 AM

Hi @olawalePS,

rename computer_meta.serial

index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| rename computerGeneral.lastContactTime AS lastContactTime computer_meta.serial AS computer_meta_serial
| eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval sixtyDaysAgo = relative_time(now(), "-60d") 
| where timestamp>sixtyDaysAgo
| eval installed=if(computer_meta_serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| rename computer_meta.serial AS computer_meta_serial | fields computer_meta_serial], "Yes", "No")
| table computer_meta.name, installed

or use single quotes (').

I prefer to rename fields, even if is longer.

ciao.

Giuseppe

0 Karma
Reply

olawalePS
Path Finder
‎11-06-2023 08:59 AM

Renaming it did not change the results.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-06-2023 07:44 AM

Try something like this

index="jamf" sourcetype="jssUapiComputer:computerGeneral"
| dedup computer_meta.serial
| rename computerGeneral.lastContactTime AS lastContactTime
| eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval sixtyDaysAgo = relative_time(now(), "-60d") 
| where timestamp>sixtyDaysAgo
| eval installed=if(computer_meta.serial IN ([ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| stats count by computer_meta.serial
    | eval search="\"".'computer_meta.serial'."\""
    | stats values(search) as search
    | eval search = mvjoin(search,",")]), "Yes", "No")
| table computer_meta.name, installed
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...