Hey guys. I have been trying to make a compliance/noncompliance list: I have a big search that will table all the data i need. I tried using eval case to assign compliance/noncompliance to the ho...
See more...
Hey guys. I have been trying to make a compliance/noncompliance list: I have a big search that will table all the data i need. I tried using eval case to assign compliance/noncompliance to the hosts however it is not working. There could be multiple problems. The search is this:
| rex field=_raw "(Available Updates)\s+(?<AvailableUpdates>.+)"
| rex field=_raw "(.Net Version is)\s+(?<DotNetVersion>.+)"
| rex field=_raw "(Powershell Version is)\s+(?<PowershellVersion>.+)"
| rex field=_raw "(Was able to resolved google.dk)\s+(?<DNS>.+)"
| rex field=_raw "(Firewall's)\s+(?<AllFirewalls>.+)"
| rex field=_raw "(Commvault)\s+(?<Commvault>.+)"
| rex field=_raw "(Snow)\s+(?<Snow>.+)"
| rex field=_raw "(Symantec)\s+(?<Symantec>.+)"
| rex field=_raw "(Splunk Forwarder)\s+(?<Splunk>.+)"
| rex field=_raw "(SNMP Service)\s+(?<SNMP>.+)"
| rex field=_raw "(Zabbix Agent Version)\s+(?<Zabbix4>.+)"
| rex field=_raw "(Zabbix Agent2)\s+(?<Zabbix2>.+)"
| rex field=_raw "(VMware)\s+(?<VMware>.+)"
| rex field=_raw "(Backup route)\s+(?<BackupRoute>.+)"
| rex field=_raw "(Metric)\s+(?<Metric>.+)"
| rex field=_raw "(IPconfig)\s+(?<IPconfig>.+)"
| rex field=_raw "(DeviceID VolumeName)\s+(?<Storage>.+)"
| rex field=_raw "(Memory)\s+(?<Memory>.+)"
| rex field=_raw "(Amount of Cores)\s+(?<CPU>.+)"
| rex field=_raw "(is Licensed with)\s+(?<WindowsLicense>.+)"
| rex field=_raw "(Running Microsoft)\s+(?<OS>.+)"
| rex field=_raw "(OS Uptime is)\s+(?<Uptime>.+)"
| join type=outer host[|inputlookup Peer_Dashboard_Comments.csv]
| stats latest(AvailableUpdates) as AvailableUpdates, latest(DotNetVersion) as DotNetVersion, latest(PowershellVersion) as PowershellVersion, latest(DNS) as DNS, latest(AllFirewalls) as AllFirewalls, latest(Commvault) as Commvault, latest(Snow) as Snow, latest(Symantec) as Symantec, latest(Splunk) as Splunk, latest(SNMP) as SNMP, latest(Zabbix4) as Zabbix4, latest(Zabbix2) as Zabbix2, latest(VMware) as VMware, latest(BackupRoute) as BackupRoute, latest(Metric) as Metric, latest(IPconfig) as IPconfig, latest(Storage) as Storage, latest(Memory) as Memory, latest(CPU) as CPU, latest(WindowsLicense) as WindowsLicense, latest(OS) as OS, latest(Uptime) as Uptime, latest(Comments) as Comments by host
| fillnull value="-"
| eval status=case(AvailableUpdates="= 0" AND NOT match(DotNetVersion,"Not!") AND match(PowershellVersion,"5.1") AND DNS="142.250.179.195" AND AllFirewalls="are disabled" AND match(Commvault,"is Installed") AND match(Snow,"is Installed") AND match(Symantec,"is Installed") AND match(Splunk,"is Installed") AND match(SNMP,"is installed") AND match(Zabbix4,"is installed") AND match(Zabbix2,"is installed") AND match(VMware,"is Installed") AND match(BackupRoute,"was found") AND match(Metric,"is - Ethernet") AND match(WindowsLicense,"Windows") AND (match(OS,"2016") OR match(OS,"2019")),"Compliant",1=1,"noncompliant")
| stats distinct_count(Compliant) as Compliant
It doesnt fail but reports back with a result of 0 compliant hosts. If i try to list noncompliant hosts it is also 0. I have a AND (match(OS,"2016") OR match(OS,"2019")) in there. Is that a OK way of matching a single field to 2 values? There is also a "AND NOT match(DotNetVersion" in the beginning. Is it okay to use both match and NOT match in the same case? Anything im missing here?