topic Re: Nested case -> match within mvjoin in Splunk Search

Nested case -> match within mvjoin

Dworsnop — Wed, 09 Oct 2019 10:58:55 GMT

Hello, I'm trying to create an multi-value field 'category' which takes its value from a 'case(match(' that queries a users AD group membership and returns the category value based on the memberOf field; see below.

... | eval category=mvjoin(case(match(memberOf, "(?i)^.*?CN\={employee AD group}\,?.+"),"employee",match(memberOf, "(?i)^.*?CN\={domain admins AD group}\,?.+"),"privileged",match(memberOf, "(?i)^.*?CN\={restricted internet AD group}\,?.+"),"rest_int"), "|")

For some reason though the final 'category' field only ever contains one value, despite some users being in more than one of the AD groups. mvappend doesn't work either.

Re: Nested case -> match within mvjoin

richgalloway — Wed, 09 Oct 2019 12:33:35 GMT

The case command only matches once so there will only be a single value to pass to mvjoin.

Re: Nested case -> match within mvjoin

Dworsnop — Wed, 09 Oct 2019 12:53:20 GMT

Ah okay, thanks.

Any suggestions on how I can accomplish my goal?

Re: Nested case -> match within mvjoin

Dworsnop — Wed, 09 Oct 2019 13:50:35 GMT

Not to worry folks, I just did it this way...

| eval cat1=case(match(memberOf, "(?i)^.?CN={employee AD group}\,?.+"),"employee")
| eval cat2=case(match(memberOf, "(?i)^.?CN={domain admins AD group}\,?.+"),"privileged")
| eval cat3=case(match(memberOf, "(?i)^.*?CN={restricted internet AD group}\,?.+"),"rest_int")
| eval category=mvappend(cat1,cat2,cat3)

A bit more convoluted than I'd hoped but it works.

Re: Nested case -> match within mvjoin

woodcock — Wed, 09 Oct 2019 14:06:25 GMT

You should at least UpVote @richgalloway because he lead you directly to the answer.