Splunk Search

Help with a search for barcodes based by group?

KayBeesKnees83
Path Finder

I have a customer that would like to use Splunk to search for a set of devices by their respective barcodes.

The devices (barcodes) will come from an external list that will be placed in a separate index. For this scenario, the separate index will be referred to as "index 2". Additionally, the barcodes from the external list (which reside in index 2) will need to be matched to their respective organizations. 

These organizations reside in a separate index. For this scenario, the separate index (where the organization resides) will be referred to as "index 1".

In a nutshell, the customer would like to compare the list of barcodes in index 2 and compare it to index 1 and see if they match any organizations. 

Finally, if the a barcode (index 2) matches an organization (index 1), the customer would like to list all information associated with the barcode (i.e. hostname, serial number, organization name, etc.) that matched the organization. 

Thank you in advanced for your help! 🙂 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

johnhua
Builder

Here are 2 very simple way to do it:

index=index1 [search index2 | dedup barcode | table barcode]
| stats latest(*) AS * by barcode
index IN (index1, index2)
| stats latest(*) AS * values(index) AS index_list dc(index) AS index_ct BY barcode
| eval matched=IF(index_ct=2, "Y", "N")

 

View solution in original post

johnhua
Builder

Here are 2 very simple way to do it:

index=index1 [search index2 | dedup barcode | table barcode]
| stats latest(*) AS * by barcode
index IN (index1, index2)
| stats latest(*) AS * values(index) AS index_list dc(index) AS index_ct BY barcode
| eval matched=IF(index_ct=2, "Y", "N")

 

KayBeesKnees83
Path Finder

Thank you for your reply 🙂 Both results returned different amounts. Option 1 returned about 20 results while Option 2 returned roughly 4 results.  

0 Karma

johnhua
Builder

Option 2 gives you a bit more flexibility if you want to see both matched and not matched records (e.g, filter on the field "matched" and "index_list")

0 Karma

KayBeesKnees83
Path Finder
| eval matched = if(isnull(organization), "no", "yes")

Which field should be listed as "organization"? 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

"organization" was my spelling mistake.  Should be organization_name in accordance to the preceding code.

index IN (index1, index2) 
    [| tstats values(barcode) as barcode where index = index2]
| stats latest(hostname) as hostname latest(serial_number) as serial_number latest(organization_name) as organization_name latest(etc) as etc by barcode
| eval matched = if(isnull(organization_name), "no", "yes")

 

KayBeesKnees83
Path Finder

Unfortunately, only one event returns with "no" adjacent to the matched column. Furthermore,  the other columns do not fully populate with results. 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

This is a well-written use case.  These specifics greatly help others to contribute.  The general idea is to put both indexed data sources together and discern which ones contain both sources, like this

index IN (index1, index2) 
    [| tstats values(barcode) as barcode where index = index2]
| stats latest(hostname) as hostname latest(serial_number) as serial_number latest(organization_name) as organization_name latest(etc) as etc by barcode
| eval matched = if(isnull(organization), "no", "yes")

(The subsearch can improve performance if index1 contains significantly more bar codes than index2; you can reverse it to "where index=index1" if the opposite is true, or drop the subsearch if the two indices contain about the same number of bar codes.)

Hope this helps.

KayBeesKnees83
Path Finder

Thank you for your reply. I sincerely appreciate your response. I had a question about the following: 

latest(etc) as etc by barcode

 

What is the "etc" argument/field? 

 

Tags (1)
0 Karma

KayBeesKnees83
Path Finder

My apologies on the "etc" post - I figured out that the "etc" represents the additional fields.

 

Thank you 🙂 

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...