topic Re: Dynamic eval mvindex. in Splunk Search

Dynamic eval mvindex.

BoscoBaracus — Fri, 27 Sep 2024 06:25:26 GMT

Good morning fellow splunkers.

I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for those fields. For example, In a log, we have two fields labelled "Account Name", first one corresponding to computer account and second to user account. We use mvindex to assign labels appropriately. This works well for a known number of fields.

Now, we also have logs, with groups of fields: action, module and rule:

         action: quarantine
         module: access
         rule: verified

         action: execute
         module: access
         rule: verified

         action: continue
         module: access
         rule: verified

         action: reject
         isFinal: true
         module: pdr
         rule: reject

I would like to use mvindex to label those so I can use those fileds more easily. In the example above, we have four groups of those fileds, thefore I wold have: action1, action2 etc (same for module and rule).

However, the number of groups changes. It could be one, two, three or more.

Is there any way to use mvindex dynamically somehow?

I imagine, we would have to first evaluate number of those fields (or group of fields) and then use mvindex to assign different labels?

Unless there is a different way to achieve our goal.

Many thnaks in advance for any advise.

Kind Regards,

Mike.

Re: Dynamic eval mvindex.

ITWhisperer — Fri, 27 Sep 2024 07:31:39 GMT

It is not clear what your events look like although you have done a good job at describing the information in them. Please share some (anonymised) raw events (in a code block) so we can see what you are dealing with. Also, a representation of your desired output would be informative.

Re: Dynamic eval mvindex.

BoscoBaracus — Fri, 27 Sep 2024 08:51:44 GMT

Good morning ITWhisperer,

Thank you very much for the prompt response.

The example I provided was for description purposes. The question is generally about using eval mvindex where number of fields (with the same name) changes depending on some circumstances.

For simplicity, lets presume we have some logs with "Action" field. The Action field may appear several times in a log, having different values. We do not know exactly how many Action fields we have in a particular event. As I said, it could be one, two three or even 10. That's the challenge. I need to be able to operate on those fileds, but each of them will represent differnt step:

Event 1:

Action: scan

Action: forward-sandbox

Action: Release

Action: Relay

Event2:

Action: scan

Action: Release

Action: Relay

Event3:

Action: scan

Action: Reject

In the example above, we have events containing Action fields. However, depending on the actions taken, number of those fields will vary. Therefore, it is difficult for me to use mvindex. I know how to use mvindex where number of fields with the same name or multivalued fields is known.

In our case, we do not know how many occurences of Action we have in a given event.

I hope this makes sense?

Kind Regards,

Mike.

Re: Dynamic eval mvindex.

PickleRick — Fri, 27 Sep 2024 10:25:49 GMT

I recognize PPS logs 😉

But seriously - mvindex does not assign anything within a multivalued field. It picks one (or more) of the values from an mvfield.

As a general remark - multivalued fields are really tricky to work with and if you need to correlate between separate multivalued fields (and I suspect you're aiming at something like that)... this is not going to end well.

What is the busines case and the actual data? Maybe it can be dealt with differently?

EDIT: But yes, mvindex can be indexed with dynamically asigned values. A run-anywhere example:

| makeresults 
| eval mv=mvappend("a1","a2","a3")
| eval index=mvfind(mv,"a2")
| eval value=mvindex(mv,index)

Re: Dynamic eval mvindex.

ITWhisperer — Mon, 30 Sep 2024 08:44:15 GMT

mvcount will give you the number of values in a multivalue field - does that help?

Re: Dynamic eval mvindex.

BoscoBaracus — Mon, 30 Sep 2024 08:52:30 GMT

Good morning ITWhisperer,

Many thanks for the suggestion. This might actually work. I could first evaluate number of fields and then use mvindex.

Will try that.

Again, many thank.

Kind Regards,

Mike.