Splunk:如何对具有相同列值的多行应用条件?
Splunk: How to apply conditionals for multiple rows with same column value?
我有一个 table,其中的列采用以下格式,其中 host_names 重复,并且单个主机可以同时具有合规和不合规值。我如何编写一个查询来检查每个 host_name 并将其标记为不合规,如果它的任何行不合规。
compliance host_name
Compliant Host1
Non-Compliant Host1
Compliant Host2
Non-Compliant Host3
Compliant Host4
例如:在上面的 table 中,主机 1 在其两行中同时具有合规和不合规值。由于其中一个值不合规,我想使用该主机一次并按以下格式创建一个 table。
compliance host_name
Non-Compliant Host1
Compliant Host1
Non-Compliant Host3
Compliant Host4
要仅显示 non-compliant 个主机,请将 | where compliance="Non-Compliant" 添加到您的查询中。
要查看 non-compliant 合规或不合规的主机,请尝试此 run-anywhere 示例查询。
| makeresults
| eval _raw="compliance host_name
Compliant Host1
Non-Compliant Host1
Compliant Host2
Non-Compliant Host3
Compliant Host4"
| multikv forceheader=1
```Everything above just sets up test data```
```Next, combine compliance values by host```
| stats values(compliance) as compliance by host_name
```Show only those that are non-compliant or both compliant and non-compliant```
| where (mvcount(compliance)>1 OR compliance="Non-Compliant")
我有一个 table,其中的列采用以下格式,其中 host_names 重复,并且单个主机可以同时具有合规和不合规值。我如何编写一个查询来检查每个 host_name 并将其标记为不合规,如果它的任何行不合规。
compliance host_name
Compliant Host1
Non-Compliant Host1
Compliant Host2
Non-Compliant Host3
Compliant Host4
例如:在上面的 table 中,主机 1 在其两行中同时具有合规和不合规值。由于其中一个值不合规,我想使用该主机一次并按以下格式创建一个 table。
compliance host_name
Non-Compliant Host1
Compliant Host1
Non-Compliant Host3
Compliant Host4
要仅显示 non-compliant 个主机,请将 | where compliance="Non-Compliant" 添加到您的查询中。
要查看 non-compliant 合规或不合规的主机,请尝试此 run-anywhere 示例查询。
| makeresults
| eval _raw="compliance host_name
Compliant Host1
Non-Compliant Host1
Compliant Host2
Non-Compliant Host3
Compliant Host4"
| multikv forceheader=1
```Everything above just sets up test data```
```Next, combine compliance values by host```
| stats values(compliance) as compliance by host_name
```Show only those that are non-compliant or both compliant and non-compliant```
| where (mvcount(compliance)>1 OR compliance="Non-Compliant")