topic Re: Multi-value Field Help in Splunk Search

Multi-value Field Help

mhenrick — Thu, 11 Jul 2013 04:39:48 GMT

Hi Guys,

Right now I'm trying to set up a Splunk query to look for a series of Unix commands within either a multi-valued field (with all the commands) or a string that includes the command line. My only problem is that I'm unsure how to do the matching and I was planning on using a lookup table to hold all of the commands that I'm looking for. I've been leaning towards doing a regex implementation, but it just seems sloppy. Any ideas?

Re: Multi-value Field Help

linu1988 — Thu, 11 Jul 2013 05:35:02 GMT

How do you plan to execute unix command? Are the data indexed? If yes then the source=* will give you all the commands' result. then see how it can be done. Correct me if i am wrong.

Re: Multi-value Field Help

mhenrick — Thu, 11 Jul 2013 11:52:47 GMT

Hi linu1988, I'm not planning on running the Linux, this search is meant to look through collections of Unix logs. My problem is that I'm trying to look at a multivalve field from that search and figure out if any of those values are the input of a lookup table I have. For example, the log could have a field like: cp, mv, rm，and I'm looking to see if rm (or some other commands are in there).. I'm hesitant to do a huge regex, but think it may be my only option.

Re: Multi-value Field Help

linu1988 — Thu, 11 Jul 2013 12:10:46 GMT

Ahh i get it, So lookup is the best option/ a csv containing the commands. Just use a subsearch and get the result.

e.g.
Index=blah sourcetype=blah [|inputcsv command.csv]| table _raw

note:make sure any single column should be present to match

Re: Multi-value Field Help

mhenrick — Thu, 11 Jul 2013 15:09:05 GMT

Hi Linu1988, I'm not too versed in sub-searches. How would the loaded csv be compared to a multi-valued field?
For example, if I set the cvs up like this (don't worry about the values, I had a user-defined mapping originally)
CSV: fields are on top
|command|val..|val..|
|su |12321|12312|
|rm |12313|12312|
|mv |32134|12352|

and I'm trying to check if an excel field that has values like below is in there (all one cell, it's multi-valued):
| mv |
| cp |
| ls |

Thanks for the help

Re: Multi-value Field Help

linu1988 — Thu, 11 Jul 2013 15:28:45 GMT

evenif it's multi valued the field contains the keyword. I haven't tested as i don't have relevant data. Try it out, see if it's not working, use the multikv command to separate the mv fields, make it single valued field.