output lookup field from a boolean between multipl...

3DGjos · ‎07-11-2018

Hello,

I'm trying to make an automatic lookup for action=success / failure / read / deleted / modified / etc. the problem is that my inputs are coming form multiple fields:

res=success/failed
type=user_auth
type=login
syscall=1/3/4/5/6/n

for example, when my inputs are:

(type=login OR type=user_start) AND res=success

action should be "success"

when:

(type=login OR type=user_auth) AND res=failed

action should be "failure"

and when:

syscall=4

action should be "deleted" (for example, I can map all the linux syscalls)

my props is:

[linux_audit]
LOOKUP-test1 = test_linux input_var1 AS syscall, input_var2 AS type, input_var3 AS res OUTPUTNEW output_var2 AS action

and my transforms is:

[test_linux]
batch_index_query = 0
case_sensitive_match = 0
filename = test_linux.csv

this is my csv:

input_var1,input_var2,input_var3,output_var2
2,,,read
,USER_LOGIN,failed,failure
,USER_START,failed,failure
,USER_LOGIN,success,success
,USER_START,success,success

Im not getting the 'action' field. I know i can do this easily with and EVAL case function, but I want to test if such lookup is posible. I mean, if an event meets the lookup requirement, it's action field should match to success/failure/deleted/modified/etc.

Thanks!

output lookup field from a boolean between multiple input fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation