I am trying to write a query that searches for a particular "application" that is installed to a number of machines. For example, I have an index that catalogs all applications installed. I am interested in a specific set of machines. The machines are:
SRV1
SRV2
SRV3
Each machine is the same base build, so for example if I run the following search "index=mysearch sourcetype=arp name="SRV*" this will provide me the following results for each server (the app, versions and install dates are made up)
name=SRV1, AppName="Flash" version="10" InstallDate="20190506"
name=SRV1, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV1, AppName="McAfee" version="6.2" InstallDate="20190506"
name=SRV2, AppName="Flash" version="10" InstallDate="20190506"
name=SRV2, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV2, AppName="McAfee" version="6.2" InstallDate="20190506"
name=SRV3, AppName="Flash" version="10" InstallDate="20190506"
name=SRV3, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV3, AppName="McAfee" version="6.2" InstallDate="20190506"
I have a requirement to say search for McAfee not being installed on the server. So if I adjust the results from the table to remove "McAfee" from SRV2 so that it looks like this
name=SRV1, AppName="Flash" version="10" InstallDate="20190506"
name=SRV1, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV1, AppName="McAfee" version="6.2" InstallDate="20190506"
name=SRV2, AppName="Flash" version="10" InstallDate="20190506"
name=SRV2, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV3, AppName="Flash" version="10" InstallDate="20190506"
name=SRV3, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV3, AppName="McAfee" version="6.2" InstallDate="20190506"
I am then trying to construct a query that looks for this "specific" value but not return the rest of the results that contain the same field. If I generate my query as "index=mysearch sourcetype=arp name="SRV*" | where AppName!="McAfee"" then this produces the following result
name=SRV1, AppName="Flash" version="10" InstallDate="20190506"
name=SRV1, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV2, AppName="Flash" version="10" InstallDate="20190506"
name=SRV2, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
name=SRV3, AppName="Flash" version="10" InstallDate="20190506"
name=SRV3, AppName="Notepad++" version="7.1.0" InstallDate="20181229"
If I then adjust the search to be as follows "index=mysearch sourcetype=arp name="SRV*" AppName="McAfee" then this produces the following result
name=SRV1, AppName="McAfee" version="6.2" InstallDate="20190506"
name=SRV3, AppName="McAfee" version="6.2" InstallDate="20190506"
So this omits SRV2 which is expected. How do I write the query to show me that "SRV2" doesn't have "McAfee" but also omit all the other apps that share the same "field" name?
I have also got a seperate index that lists the servers. For example "index=myserverlist" which would show
Name0=SRV1,IPv4=10.1.1.1,OS=Windows Server 2012 R2
Name0=SRV2,IPv4=10.1.1.2,OS=Windows Server 2012 R2
Name0=SRV3,IPv4=10.1.1.3,OS=Windows Server 2008 R2
I tried to (and failed miserably) to try and do some form of a join or multisearch to say something along the lines of "here is a list of servers". I wanted to then say "for the servers that have been found in this list, go and have a look whether or not this 1 Application is installed but don't tell me about anything else that is installed (due to the shared field name).
↧