- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Loops on csv file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
i comeback to ask u again about my problem ;
so :
| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing", Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access", Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion", Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*"
| foreach Hostname [eval temp = if(match(Parent,Hostname), "hello", "Noooooo") ]
| table temp
when i execut this the result is :
Noooooo
Noooooo
Noooooo
Noooooo
Noooooo
Noooooo
the problem i me sur ther is a value from Parent that match Hostname
i want to that retun hello .
not only comparing in same raw that is the problem
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kacel,
Try this
| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing",
Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access",
Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion",
Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*"
| eventstats values(Parent) as _tmp
| eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kacel,
Try this
| inputlookup Obso_Inventory.csv
| eval Compo=case(Composant="WAF", "LBWAF", Composant="LOAD BALANCER", "LBWAF", Composant="PROXY", "Browsing",
Composant="FIREWALL", "Firewall", Composant="GATEWAY SSL", "Remote Access",
Composant="GATEWAY SSL VPN", "Remote Access", Composant="IPS", "Anti-Intrusion",
Composant="TAP", "Anti-Intrusion")
|rename Compo as Composant
| search Composant="Firewall" Editeur="" Metier="" Platform="*"
| eventstats values(Parent) as _tmp
| eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much the result shows 1 when it is a match and 0 else .
its the best way to find same value of coulumn without using loops between two culumn
thank u.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you give us an explication please ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure. Last two lines can be rewritten as below to give a better idea
| eventstats values(Parent) as tmp
| eval found=if(isnull(mvfind(tmp,Hostname)),0,1)
By using eventstats we create a list of "Parents" for each row. Host name is then matched against this list which returns null for non-matching and an index for matching records . The result is then evaluated using if and assigns to "found" . 1 and 0 can be replaced with any values for e.g. "Yes","No" etc
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Parent and Hostname must match exactly.
Please edit your query to show how the Parent and Hostname fields are obtained.
If this reply helps you, Karma would be appreciated.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
