Splunk Enterprise Security

Asset lookup with conditional eval

richardphung
Communicator

Greetings--
I have an asset lookup gen that begins with:

| stats latest(src_ip) as ip latest(os) as os **latest(primary_user) as owner latest(user_name) as user** latest(src_mac) as mac by client_name
| rex field=client_name "^[^\.]+\.(?P<dest_domain>.+)"
| rex field=client_name "^(?<nt_host>[^\.]+)"

However, out asset lookup fields do not contain "user":
https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Formatassetoridentitylist

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

When I try:

|makeresults | eval src="1.2.3.4" | get_asset(src)

It automatically puts primary_user as the owner.
However, I would ideally like it to:
Assign latest(user_name) as owner and if latest(user_name)=null, then assign latest(primary_user) as owner, and if both are $null, then to make owner default to "unknown"

I'm not sure how to include the eval latest() inside of |eval owner= case(...), etc.
Any advice would be greatly appreciated.

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust
|eval owner=if(isnotnull('user_name'),'user_name',(if(isnotnull('primary_user'),'primary_user',"unknown")))
| stats latest(src_ip) as ip latest(os) as os latest(owner) as owner latest(src_mac) as mac by client_name
| rex field=client_name "^[^\.]+\.(?P<dest_domain>.+)"
| rex field=client_name "^(?<nt_host>[^\.]+)"
@marycordova

View solution in original post

0 Karma

marycordova
SplunkTrust
SplunkTrust
|eval owner=if(isnotnull('user_name'),'user_name',(if(isnotnull('primary_user'),'primary_user',"unknown")))
| stats latest(src_ip) as ip latest(os) as os latest(owner) as owner latest(src_mac) as mac by client_name
| rex field=client_name "^[^\.]+\.(?P<dest_domain>.+)"
| rex field=client_name "^(?<nt_host>[^\.]+)"
@marycordova
0 Karma

richardphung
Communicator

This worked perfectly.
Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...