Splunk Search

How to compare fields across multiple sourcetypes

raby1996
Path Finder

Hi all,
Im working on a search that essentially would take the field results from one search where I'm looking for a specific PBM ("Problem Number") and the RMTMS ("Reporting Serial Numbers") associated with it, and comparing it across another search where the update history of various machines are listed. In this other data I extract the "Bundle" and the serial number MTMS , so that I can compare the MTMS and RMTMS fields for equality, while appending the Bundle Information to it. Essentially my end result would be a table that lists the Serial Number of each machine that has reported that specific problem number, as well as what Code level it is on.
Here is what i have so far, which is pretty much just the two searches, however I haven't been able to compare the two fields, I have used join(the current search), append, and append pipe, however I might be using them incorrectly.
Thank you in advance for any help.

index=* "PMB#1" 
|rex field=storageFacilityMTMS "(?<RMTMS>2123-900\S+)" 
| stats values(PMB)  values(RMTMS) as RMTMS
| join [ search index=*  "Code Levels" " Package Level" AND "Sea.ha" 
| rex "(?:\n|.)\s+(?<BU1>(?:8[7]+\.\d+\.\d+\.\d+))"
| rex "(?m)Package:\s+ha(?:\n|.)*?VRMF:\s+(?<BU2>87\S+)"
| rex "(?m)Package:\s+sfi(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| rex "(?m)Package:\s+se(?:\n|.)*?VRMF:\s+(?<BU3>87\S+)"
| eval Bundle=0 | foreach BU* [ eval Bundle=max(largest_BU, BU1,BU2, BU3 ) ]
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MTMS:(?<MT>\s+\d+\-\d+\S\S+)"  
| eval MTMS=coalesce(MT,RMTMS) 
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?Package Level:\s+(?<LIC>\d+\.\d+\.\d+\.\d+)" 
| rex "(?m)Package:\s+SEA.ha.*?(?<MTMS>\s+\d+\-\d+\S\S+)" 
| eval MTMS=coalesce(MT,MS)| stats list(MTMS) as MTMS , list(Bundle) as Bundle ] 
|makemv RMTMS|mvexpand RMTMS | stats   list(MTMS) as MTMS values(RMTMS) as RMTMS , list(Bundle) as Bundle,| makemv MTMS| mvexpand MTMS| stats list(RMTMS) as MTMS , list(Bundle) as Bundle

Search 1 (before join command)

PMB       RMTMS
#1        2123-900-1
          2123-900-2
          2123-900-3

Search 2 (after the join command in search)

MTMS            Bundle
2123-900-1       87.1
2123-900-2       87.2
2123-900-7       87.3
2123-900-8       87.4

Combined Results ( matched RMTMS and MTMTS)

PMB    Matched_MTMS's        Bundle
#1        2123-900-1           87.1
          2123-900-2           87.2

In a nutshell im running two separate searches where I'm trying to match a field from each to create a single field ( RMTMS, MTMS) while adding the other fields to it ( PMB, Bundle).

0 Karma

AndySplunks
Communicator

If I'm understanding this correctly, is this what you are looking for:

You do a search of problem tickets that have individual ID numbers: search PBM

The results are logs for the problem tickets with the various RMTMS values. The RMTMS values are the serial numbers of the machines associated to the problem tickets.

You then want to take the serial numbers and search your asset inventory to see what the patch level is and compare the systems to see if they are equivalent?

So for instance, I've got problem ID PBM 8675309. The RMTMS values that come back for are serial numbers 00042, 01337, and 01010. I will then search my asset inventory to see if those three systems are all running NT 4 Patch 6 and IIS 3.12?

So then my end table would be:
00042 - NT 4 P 6 - IIS 3.12
01337 - OS/S IIS - IBM 2
01010 - NT 4 P 6 - IIS 3.11

Is that correct?

0 Karma

woodcock
Esteemed Legend

You need to explain exactly how the 2 datasets relate and what you are trying correlate. The best way to do that is go give a minimalist set of sample events and then a mockup of the desired output. If you do this, I believe somebody will be able to help you. As it is, I have no idea what you are trying to do but I am certain that your existing search is WAY over-complicated.

0 Karma

raby1996
Path Finder

Yes your are right, thank you for pointing that out, I have revised it and hopefully it makes more sense now.

0 Karma

woodcock
Esteemed Legend

I still do not get it at all. Explain it like this:
Search 1:

blah blah1

Search 2:

blah blah 2

Results 1:

boo-hoo 1

Results 2:

boo-hoo 2

Desired Results:

foo bar success
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...