Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a multivalue field with an eval function?

ejwade
Contributor
‎08-27-2018 09:43 AM

I need to create a multivalue field using a single eval function.

I'm using Splunk Enterprise Security and a number of the DNS dashboards rely on the field "message_type" to be populated with either "QUERY" or "RESPONSE".

In Bro DNS logs, query and response information is combined into a single event, so there is not Bro equivalent to message_type. To get around this (without having to change all the dashboards and affect other DNS data sources), I'm hoping to create a calculated field in the Bro app that will be multivalued with "QUERY" and "RESPONSE" as the values. I wanted to do something like this:

| eval message_type = "QUERY,RESPONSE" | makemv delim="," message_type

But the calculated fields don't seem to like piping functions, or functions that aren't eval. Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-27-2018 03:21 PM

One (chain the two eval items)

| eval message_type=split( "QUERY,RESPONSE",",")

Two (better, use mvappend)

| eval message_type=mvappend("QUERY","RESPONSE")

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-27-2018 03:21 PM

One (chain the two eval items)

| eval message_type=split( "QUERY,RESPONSE",",")

Two (better, use mvappend)

| eval message_type=mvappend("QUERY","RESPONSE")
Reply
Solved! Jump to solution

ejwade
Contributor
‎08-27-2018 03:47 PM

That was 100% the right approach. Thank you DalJeanis and kamlesh_vaghela for your help!

Reply
Solved! Jump to solution

bkirk
Path Finder
‎11-07-2018 07:16 AM

Did you add this to the CIM for DNS resolution? I tried changing the Eval Expression in the CIM, and it breaks the datamodel.

Error in 'eval' command: The arguments to the 'mvappend' function are invalid.

0 Karma
Reply
Solved! Jump to solution

bkirk
Path Finder
‎11-07-2018 10:35 AM

This is what I added to the CIM and it worked I missed some quotes on the mvappend:
if(index=bro,mvappend("QUERY","RESPONSE"),if(isnull(message_type) OR message_type="","unknown",message_type))

0 Karma
Reply
Solved! Jump to solution

ejwade
Contributor
‎11-14-2018 08:14 PM

bkirk - I updated the calculated field "message_type" in props.conf instead of trying to manipulate its eval statement in the data model. The eval statement for message_type in the data model is good as it is, because it sets the value to message_type if it exists, otherwise, "unknown"

I put this in my props:

# Match all bro_* sourcetypes.
[(?::){}bro_*]

EVAL-message_type = split("QUERY,RESPONSE",",")
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-27-2018 10:06 AM

@ejwade

Have you tried this?

| eval message_type = "QUERY,RESPONSE" | eval message_type=split(message_type,",")
Reply
Solved! Jump to solution

ejwade
Contributor
‎08-27-2018 11:25 AM

That's a great suggestion. Unfortunately, it doesn't seem like calculated fields can pipe multiple eval expressions.

Also, they don't allow chaining multiple calculated fields together - all calculated fields are processed in parallel. I need to be able to create a field with value "QUERY,RESPONSE" and then reference this as multivalue in another field (can be new, can be same).

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...