Splunk Search

set a flag in based on field value in multiple row

LearningGuy
Builder

Hello,
How do I set a flag in based on field value in multiple row?
For example:
In the following table,  network-1 is set to yes because server-1 that is on network-1 is also on fw-network-1 that is behind a firewall.   

Please suggest. Thank you!!

servernetworkfirewall
server-1network-1yes
server-1fw-network-1yes
server-2network-2no
server-3network-1yes
server-3fw-network-1yes
server-4network-2no
server-5network-3yes
server-5fw-network-3yes
Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

There are a number of ways to do this - the example below uses makeresults to create your example data 

Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on

| makeresults format=csv data="server,network,firewall
server-1,network-1,yes
server-1,fw-network-1,yes
server-2,network-2,no
server-3,network-1,yes
server-3,fw-network-1,yes
server-4,network-2,no
server-5,network-3,yes
server-5,fw-network-3,yes"
| fields - firewall
``` Above creates your example table ```
| eventstats values(network) as nws by server
| eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no")
| fields - nws
| table server network firewall

Depending on the subleties of your data, you may need to tweak the eval firewall statement  

View solution in original post

LearningGuy
Builder

Hi @bowesmana 
Thanks a lot!!  You rock!!  
I did make attempt on using evenstats, but then It didn't work because of  if condition didn't work.  It turns out I had to use a match command.   
I appreciate your help.

bowesmana
SplunkTrust
SplunkTrust

There are a number of ways to do this - the example below uses makeresults to create your example data 

Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on

| makeresults format=csv data="server,network,firewall
server-1,network-1,yes
server-1,fw-network-1,yes
server-2,network-2,no
server-3,network-1,yes
server-3,fw-network-1,yes
server-4,network-2,no
server-5,network-3,yes
server-5,fw-network-3,yes"
| fields - firewall
``` Above creates your example table ```
| eventstats values(network) as nws by server
| eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no")
| fields - nws
| table server network firewall

Depending on the subleties of your data, you may need to tweak the eval firewall statement  

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...