Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the match in the column data and mark it as completed?

Hema_Nithya
Explorer
‎08-13-2023 11:42 PM

There are two searches with CI_Name as the common field . I have output and want compare the two columns installed and Server_Installed_Package based on CI_Name as common , if both are common mark it as "Completed" in another column. If there is no match mark it as Not completed.

first search output:

 

CI_Name installed shouldBe match
Server1 nss-3.44.0-7.el6_10 nss-3.44.0-13.el6_10  
Server1

nss-devel-3.44.0-7.el6_10

 

 

 nss-devel-3.44.0-13.el6_10  
Server1 nss-sysinit-3.44.0-7.el6_10 nss-sysinit-3.44.0-13.el6_10  

 

Second search output :

CI_Name Server_Installed_Package
Server1 libgdata-0.6.4-2.el6.x86_64
Server1 util-linux-ng-2.17.2-12.28.el6_9.2.x86_64
Server1 rt73usb-firmware-1.8-7.el6.noarch
Server1 sssd-1.13.3-60.el6_10.2.x86_64

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 12:50 AM

For the first search, you can check whether the columns match like this.

| eval match=if(installed=shouldBe,"Complete","Not complete")

It is unclear what the second search is for.

0 Karma
Reply

Hema_Nithya
Explorer
‎08-14-2023 12:56 AM

I want to  match with second search field Server_Installed_Package abd shouldbe

| eval match=if(Server_Installed_Package=shouldBe,"Complete","Not complete")

Server_Installed_Package from second query 
shouldbe from first query 

Common field between two search query is CI_Name

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 01:16 AM 
<first search>
| append [<second search>]
| eventstats values(Server_Installed_Package) as Server_Installed_Package
| where isnotnull(installed)
| eval match=if(isnotnull(mvfind(Server_Installed_Package, shouldBe)), "Complete", "Not complete")
0 Karma
Reply

Hema_Nithya
Explorer
‎08-14-2023 04:36 AM

I tried the append , the final output display all the packages in "Server_Installed_Package.  I want only the package name as in "shouldBe"


CI_NameinstalledshouldBeServer_Installed_PackageVul_Status
server1nss-3.44.0-7.el6_10nss-3.44.0-13.el6_10

nss-3.44.0-13.el6_10

Complete

nss-devel-3.44.0-13.el6_10

nss-softokn-3.44.0-6.el6_10

nss-softokn-devel-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10

nss-softokn-freebl-3.44.0-6.el6_10.i686

nss-softokn-freebl-devel-3.44.0-6.el6_10

nss-sysinit-3.44.0-13.el6_10

nss-tools-3.44.0-13.el6_10

nss-util-3.44.0-1.el6_10

nss-util-devel-3.44.0-1.el6_10

nss_compat_ossl-0.9.6-2.el6_7

     
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 04:44 AM

Add this line

| fields - Server_Installed_Package
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...