Search Query for comparing OS from live search and...

harshsri21 · ‎05-17-2017

Hi All,

I need to create a report for comparing OS versions of hosts from live search and from the lookup. Trying to explain as below:

Source 1 : Live search like index ="ip-win-evt" and gives fields hosts and WindowsVersion

hosts WindowsVersion
Asset1 2003
Asset2 2008
Asset3 2012

Source2 : Lookup which contains fields Assets and Host_Operating_System

Assets Host_Operating_System
Asset1 2008
Asset2 2003
Asset3 2012

Desired Output : Comparison for OS from WindowsVersion and Host_Operating_System for the hosts

Assets WindowsVersion Host_Operating_System Difference
Asset1 2003 2008 Yes
Asset2 2008 2003 Yes
Asset3 2012 2012 No

Thanks in advance.

rafaelsalazar · ‎06-29-2017

Well there are a couple of solutions for this, at the end the strategy is doing a lookup, and then an eval applied.

But the better one is to configure an automatic lookup for this to enrich the data with the Host_Operating_System field from the lookup and so when you search it it already comes like this:
Assets, WindowsVersion, Host_Operating_System
Asset1, 2003, 2008
Asset2, 2008, 2003
Asset3, 2012, 2012

And then you just have to do and eval if(WindowsVersion=Host_Operating_System, "Yes", "No")
Check this link on how to create an automatic lookup

If you dont want to alter the index's harmony, then do a lookup on the asset and an eval
index=foo sourcetype=bar | lookup fooAssets.csv Assets OUTPUT Host_Operating_System | eval Difference=if(WindowsVersion=Host_Operating_System, "Yes", "No") | table _time, Assets, WindowsVersion, Host_Operating_System, Difference, _raw

Regards,
Rafael.

Search Query for comparing OS from live search and from lookup and showing the differences

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life