Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"AND" a field over multiple events

mw
Splunk Employee
Splunk Employee
‎01-07-2011 08:13 PM

I'm having a tough time conceptualizing this, and was hoping someone could get my brain kickstarted. I have multiple events of the same type where I'd like to "AND" the values of a [multivalued] field. For example

host=sys1 patch_id=456 cve="002, 007, 008" compliant=True
                            ^^^

host=sys1 patch_id=123 cve="001, 002, 003" compliant=False
                                 ^^^

Hopefully it's obvious that I can't just dedup these (e.g. dedup host, cve). These are 2 different events, each addressing a particular patch for that host. I'd like to graph compliance of each cve. Specifically, my question is with regards to cve=002. The host/patch has both a True and a False value, and should therefore be considered as compliant=False in the end. Only if all cve=002 for host=sys1 are compliant=True should I consider it to actually be compliant=True. Ultimately, those 2 events should end up "merging" as something closer to:

host=sys1 cve=002 compliant=False

Thoughts?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-07-2011 08:55 PM

assuming that the cve field is already being extracted as a multivalued field, then check out the following search. 

<your search> | stats values(compliant) as compliant by host, cve

That search will give you rows that are the unique combinations of host and cve, and each row will have a multivalued field 'compliant' that will be either [True],[True,False] or [False].

and then if you search that result set, you can get the hosts where cve=002 and compliance is false

<your search> | stats values(compliant) as compliant by host, cve | search cve=002 compliant=False | top host

or you could see the unique combinations of host and cve that were marked as not compliant with the following: 

<your search> | stats values(compliant) as compliant by host, cve | search compliant=False | stats count by host, cve

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-07-2011 08:55 PM

assuming that the cve field is already being extracted as a multivalued field, then check out the following search. 

<your search> | stats values(compliant) as compliant by host, cve

That search will give you rows that are the unique combinations of host and cve, and each row will have a multivalued field 'compliant' that will be either [True],[True,False] or [False].

and then if you search that result set, you can get the hosts where cve=002 and compliance is false

<your search> | stats values(compliant) as compliant by host, cve | search cve=002 compliant=False | top host

or you could see the unique combinations of host and cve that were marked as not compliant with the following: 

<your search> | stats values(compliant) as compliant by host, cve | search compliant=False | stats count by host, cve
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎01-08-2011 05:33 AM

Thanks nick! I hadn't thought to use "stats values" to multivalue the field. Because I want to plot both compliant=True and compliant=False values, I assume I can add an eval and mvfilter in there maybe to basically say "if complaint contains a value of False, compliant=False". Thanks for the jumpstart!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...