I have a customer that would like to use Splunk to search for a set of devices by their respective barcodes.
The devices (barcodes) will come from an external list that will be placed in a separate index. For this scenario, the separate index will be referred to as "index 2". Additionally, the barcodes from the external list (which reside in index 2) will need to be matched to their respective organizations.
These organizations reside in a separate index. For this scenario, the separate index (where the organization resides) will be referred to as "index 1".
In a nutshell, the customer would like to compare the list of barcodes in index 2 and compare it to index 1 and see if they match any organizations.
Finally, if the a barcode (index 2) matches an organization (index 1), the customer would like to list all information associated with the barcode (i.e. hostname, serial number, organization name, etc.) that matched the organization.
Thank you in advanced for your help! 🙂
Here are 2 very simple way to do it:
index=index1 [search index2 | dedup barcode | table barcode]
| stats latest(*) AS * by barcode
index IN (index1, index2)
| stats latest(*) AS * values(index) AS index_list dc(index) AS index_ct BY barcode
| eval matched=IF(index_ct=2, "Y", "N")
Here are 2 very simple way to do it:
index=index1 [search index2 | dedup barcode | table barcode]
| stats latest(*) AS * by barcode
index IN (index1, index2)
| stats latest(*) AS * values(index) AS index_list dc(index) AS index_ct BY barcode
| eval matched=IF(index_ct=2, "Y", "N")
Thank you for your reply 🙂 Both results returned different amounts. Option 1 returned about 20 results while Option 2 returned roughly 4 results.
Option 2 gives you a bit more flexibility if you want to see both matched and not matched records (e.g, filter on the field "matched" and "index_list")
| eval matched = if(isnull(organization), "no", "yes")
Which field should be listed as "organization"?
"organization" was my spelling mistake. Should be organization_name in accordance to the preceding code.
index IN (index1, index2)
[| tstats values(barcode) as barcode where index = index2]
| stats latest(hostname) as hostname latest(serial_number) as serial_number latest(organization_name) as organization_name latest(etc) as etc by barcode
| eval matched = if(isnull(organization_name), "no", "yes")
Unfortunately, only one event returns with "no" adjacent to the matched column. Furthermore, the other columns do not fully populate with results.
This is a well-written use case. These specifics greatly help others to contribute. The general idea is to put both indexed data sources together and discern which ones contain both sources, like this
index IN (index1, index2)
[| tstats values(barcode) as barcode where index = index2]
| stats latest(hostname) as hostname latest(serial_number) as serial_number latest(organization_name) as organization_name latest(etc) as etc by barcode
| eval matched = if(isnull(organization), "no", "yes")
(The subsearch can improve performance if index1 contains significantly more bar codes than index2; you can reverse it to "where index=index1" if the opposite is true, or drop the subsearch if the two indices contain about the same number of bar codes.)
Hope this helps.
Thank you for your reply. I sincerely appreciate your response. I had a question about the following:
latest(etc) as etc by barcode
What is the "etc" argument/field?
My apologies on the "etc" post - I figured out that the "etc" represents the additional fields.
Thank you 🙂