Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"AND" a field over multiple events

mw
Splunk Employee
Splunk Employee
‎01-07-2011 08:13 PM

I'm having a tough time conceptualizing this, and was hoping someone could get my brain kickstarted. I have multiple events of the same type where I'd like to "AND" the values of a [multivalued] field. For example

host=sys1 patch_id=456 cve="002, 007, 008" compliant=True
                            ^^^

host=sys1 patch_id=123 cve="001, 002, 003" compliant=False
                                 ^^^

Hopefully it's obvious that I can't just dedup these (e.g. dedup host, cve). These are 2 different events, each addressing a particular patch for that host. I'd like to graph compliance of each cve. Specifically, my question is with regards to cve=002. The host/patch has both a True and a False value, and should therefore be considered as compliant=False in the end. Only if all cve=002 for host=sys1 are compliant=True should I consider it to actually be compliant=True. Ultimately, those 2 events should end up "merging" as something closer to:

host=sys1 cve=002 compliant=False

Thoughts?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-07-2011 08:55 PM

assuming that the cve field is already being extracted as a multivalued field, then check out the following search. 

<your search> | stats values(compliant) as compliant by host, cve

That search will give you rows that are the unique combinations of host and cve, and each row will have a multivalued field 'compliant' that will be either [True],[True,False] or [False].

and then if you search that result set, you can get the hosts where cve=002 and compliance is false

<your search> | stats values(compliant) as compliant by host, cve | search cve=002 compliant=False | top host

or you could see the unique combinations of host and cve that were marked as not compliant with the following: 

<your search> | stats values(compliant) as compliant by host, cve | search compliant=False | stats count by host, cve

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-07-2011 08:55 PM

assuming that the cve field is already being extracted as a multivalued field, then check out the following search. 

<your search> | stats values(compliant) as compliant by host, cve

That search will give you rows that are the unique combinations of host and cve, and each row will have a multivalued field 'compliant' that will be either [True],[True,False] or [False].

and then if you search that result set, you can get the hosts where cve=002 and compliance is false

<your search> | stats values(compliant) as compliant by host, cve | search cve=002 compliant=False | top host

or you could see the unique combinations of host and cve that were marked as not compliant with the following: 

<your search> | stats values(compliant) as compliant by host, cve | search compliant=False | stats count by host, cve
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎01-08-2011 05:33 AM

Thanks nick! I hadn't thought to use "stats values" to multivalue the field. Because I want to plot both compliant=True and compliant=False values, I assume I can add an eval and mvfilter in there maybe to basically say "if complaint contains a value of False, compliant=False". Thanks for the jumpstart!

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...