topic Re: Splunk query - multiple values from a field in Splunk Search

Splunk query - multiple values from a field

verifi81 — Tue, 25 May 2021 15:06:52 GMT

Hi everyone. I'm trying to get this query going with one search but I can't seem to do that. I can only get it to work when I separate into two queries. Here are the two queries.

Query1:

index=wineventlog NewObjectDN="*OU=blue*" OldObjectDN=*"Rad Users"* signature_id=4147

Query2:

index=wineventlog NewObjectDN="*OU=blue*" OldObjectDN=*"Fad Users"* signature_id=4147

the Field OldObjectDN has multiple values I'm trying to combine into one search. What would the proper syntax be?

Re: Splunk query - multiple values from a field

isoutamo — Tue, 25 May 2021 15:11:49 GMT

You should try

index=wineventlog NewObjectDN="*OU=blue*" OldObjectDN IN (*"Rad Users"*, *"Fad Users"*) signature_id=4147

Re: Splunk query - multiple values from a field

yuanliu — Tue, 25 May 2021 15:12:50 GMT

Logical OR if the intention is to include both "Rad Users" and "Fad Users" in output.

index=wineventlog NewObjectDN="*OU=blue*" (OldObjectDN=*"Rad Users"* OR OldObjectDN=*"Fad Users"*) signature_id=4147

Re: Splunk query - multiple values from a field

verifi81 — Wed, 26 May 2021 00:19:53 GMT

HI Soutamo, If I use your suggestion I get other values of the oldobjectDN that don't match "Rad Users" or "Fad Users".

I want the search result to ONLY give me events when the OldObjectDN contains either of those two values.

Re: Splunk query - multiple values from a field

verifi81 — Wed, 26 May 2021 00:33:08 GMT

Because the value "Sad Users" is being returned as well.

Trying to only return these values:

Rad Users
Fad Users

Re: Splunk query - multiple values from a field

verifi81 — Wed, 26 May 2021 05:57:40 GMT

Yuanliu,

I'm trying to include either values but not both values.

Re: Splunk query - multiple values from a field

isoutamo — Wed, 26 May 2021 06:07:41 GMT

If I understand right, you want to implement XOR not OR operation?

As Splunk haven't XOR on SPL (SPL2 have it?) you must write it with NOT AND. In your case it should work like

index=wineventlog NewObjectDN="*OU=blue*" NOT (OldObjectDN=*"Rad Users"* AND OldObjectDN=*"Fad Users"*) signature_id=4147

r. Ismo

Re: Splunk query - multiple values from a field

yuanliu — Wed, 26 May 2021 06:10:42 GMT

Can you illustrate input data and how the desired output will look like?

Re: Splunk query - multiple values from a field

ITWhisperer — Wed, 26 May 2021 06:52:07 GMT

index=wineventlog NewObjectDN="*OU=blue*" (OldObjectDN=*"Rad Users"* OR OldObjectDN=*"Fad Users"*) AND NOT (OldObjectDN=*"Rad Users"* AND OldObjectDN=*"Fad Users"*) signature_id=4147

Re: Splunk query - multiple values from a field

verifi81 — Wed, 26 May 2021 14:29:33 GMT

Sure. Suppose I have this:

Field:
OldObjectDN

Possible values:
OU=Rad Users
OU=Fad Users
OU=Sad Users
OU=Bad Users
OU=Mad Users

I only want the search to return events only if OldobjectDN has the values for Rad User OR Fad Users

Re: Splunk query - multiple values from a field

verifi81 — Wed, 26 May 2021 14:44:55 GMT

I got it.
I had to do it this way

(OldObjectDN=*"OU=Rad Users"*) OR (OldObjectDN=*"OU=Fad Users"*)

I appreciate the help from both of you.