Solved: Re: set a flag in based on field value in multiple...

LearningGuy · ‎05-07-2024

Hello,
How do I set a flag in based on field value in multiple row?
For example:
In the following table, network-1 is set to yes because server-1 that is on network-1 is also on fw-network-1 that is behind a firewall.

Please suggest. Thank you!!

server	network	firewall
server-1	network-1	yes
server-1	fw-network-1	yes
server-2	network-2	no
server-3	network-1	yes
server-3	fw-network-1	yes
server-4	network-2	no
server-5	network-3	yes
server-5	fw-network-3	yes

bowesmana · ‎05-07-2024

There are a number of ways to do this - the example below uses makeresults to create your example data

Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on

| makeresults format=csv data="server,network,firewall
server-1,network-1,yes
server-1,fw-network-1,yes
server-2,network-2,no
server-3,network-1,yes
server-3,fw-network-1,yes
server-4,network-2,no
server-5,network-3,yes
server-5,fw-network-3,yes"
| fields - firewall
``` Above creates your example table ```
| eventstats values(network) as nws by server
| eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no")
| fields - nws
| table server network firewall

Depending on the subleties of your data, you may need to tweak the eval firewall statement

View solution in original post

LearningGuy · ‎05-08-2024

Hi @bowesmana
Thanks a lot!! You rock!!
I did make attempt on using evenstats, but then It didn't work because of if condition didn't work. It turns out I had to use a match command.
I appreciate your help.

bowesmana · ‎05-07-2024

There are a number of ways to do this - the example below uses makeresults to create your example data

Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on

| makeresults format=csv data="server,network,firewall
server-1,network-1,yes
server-1,fw-network-1,yes
server-2,network-2,no
server-3,network-1,yes
server-3,fw-network-1,yes
server-4,network-2,no
server-5,network-3,yes
server-5,fw-network-3,yes"
| fields - firewall
``` Above creates your example table ```
| eventstats values(network) as nws by server
| eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no")
| fields - nws
| table server network firewall

Depending on the subleties of your data, you may need to tweak the eval firewall statement

set a flag in based on field value in multiple row

eval

stats

subsearch

table

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?