output lookup field from a boolean between multipl...

3DGjos · ‎07-11-2018

Hello,

I'm trying to make an automatic lookup for action=success / failure / read / deleted / modified / etc. the problem is that my inputs are coming form multiple fields:

res=success/failed
type=user_auth
type=login
syscall=1/3/4/5/6/n

for example, when my inputs are:

(type=login OR type=user_start) AND res=success

action should be "success"

when:

(type=login OR type=user_auth) AND res=failed

action should be "failure"

and when:

syscall=4

action should be "deleted" (for example, I can map all the linux syscalls)

my props is:

[linux_audit]
LOOKUP-test1 = test_linux input_var1 AS syscall, input_var2 AS type, input_var3 AS res OUTPUTNEW output_var2 AS action

and my transforms is:

[test_linux]
batch_index_query = 0
case_sensitive_match = 0
filename = test_linux.csv

this is my csv:

input_var1,input_var2,input_var3,output_var2
2,,,read
,USER_LOGIN,failed,failure
,USER_START,failed,failure
,USER_LOGIN,success,success
,USER_START,success,success

Im not getting the 'action' field. I know i can do this easily with and EVAL case function, but I want to test if such lookup is posible. I mean, if an event meets the lookup requirement, it's action field should match to success/failure/deleted/modified/etc.

Thanks!

output lookup field from a boolean between multiple input fields

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

output lookup field from a boolean between multiple input fields

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk