topic Re: Multi-value field how to match condition in case statement in Splunk Search

Multi-value field how to match condition in case statement

bestSplunker — Thu, 11 Apr 2019 06:21:01 GMT

hello everyone

I am analyzing the mail tracking log for Exchange.I divide the type of sendemail into 3 types.

@abc.com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field.I want to use the case statement to achieve the following conditional judgments. src_user is the sender of the email, it is always a single value field

if recipient contain @abc.com (for example: abc@abc.com or test@abc.com;admin@abc.com) email domain then action is sendemail to internal
if recipient not contain @abc.com (for example: test@google.com or test@google.com;admin@yahoo.com) then action is sendemail to external
if recipient contain @abc.com or include a domain name other than @abc.com (for example: test@abc.com ; admin@google.com) then action is sendemail to internal and external

At the same time, I hope it supports a comprehensive judgment of multiple conditions.

for example

if src_user = "*@abc.com" and recipient contain @abc.com then action is sendemail from internal to internal

So I don't know how to match multivalued fields. I tried to use LIKE and = not working properly

Re: Multi-value field how to match condition in case statement

niketn — Thu, 11 Apr 2019 07:34:42 GMT

@bestSplunker pipe the following to your existing search results to break each multivalue field to separate event as separate row

| mvexpand recipent

Then you can add logic to forward to internal and external as per your logic. Please let us know if you need help with this logic as well. Or something does not work!

Re: Multi-value field how to match condition in case statement

bestSplunker — Thu, 11 Apr 2019 07:43:52 GMT

@niketnilay Do I have to convert multiple values to single values?

Re: Multi-value field how to match condition in case statement

knielsen — Thu, 11 Apr 2019 07:47:30 GMT

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

Re: Multi-value field how to match condition in case statement

bestSplunker — Thu, 11 Apr 2019 09:25:58 GMT

thank you! You're awesome!!!!