Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Matching value from two multi-value field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
04-01-2020
11:21 PM
I am working with MS-Exchange data. I am taking recipient email value and matching with user lookup for other details. Same email have multiple matching values in lookup table. I want only matching records in same row, instead of repeating it.
Ex.: I have an email xyz@abc.com in log. I have 3 records matching in user lookup like below.
email first last id type
xyz@abc.com Ram Singh 1001 T
xyz@abc.com Ram Singh 1042 C
xyz@abc.com Ram Singh 1063 T
I am using below line to match recipient value and get other details from lookup.
| stats values(recipient) as recipient count by _time sender
| mvexpand recipient
| eval recipient=lower(recipient)
| lookup users email AS recipient OUTPUT id type first last
I am getting output like below.
sender recipient id type first last
abc@xyz.com xyz@abc.com 1001 T Ram Singh
1042 C
1063 T
But I am expecting result like this, so that i can perform some conditional action.
sender recipient id type first last
abc@xyz.com xyz@abc.com 1001 T Ram Singh
abc@xyz.com xyz@abc.com 1042 C Ram Singh
abc@xyz.com xyz@abc.com 1063 T Ram Singh
If I am using mvexpand command, it's providing wrong output rows.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-01-2020
11:53 PM
....
| stats values(recipient) as recipient count by _time sender
| mvexpand recipient
| eval recipient=lower(recipient)
| lookup users email AS recipient OUTPUT id
| mvexpand id
| lookup users id OUTPUT type first last
If you provide sample jpg, more clearly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
04-02-2020
01:04 AM
Hi @to4kawa ,
I have multi value field not NULL value field. If i have only 1 multi-value field, I can use mvexpand and get the output. But I have multiple multi -value field, for which I need row with respective value.
I have made little change in output now. Hope this will bring more clarity to my question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-01-2020
11:53 PM
....
| stats values(recipient) as recipient count by _time sender
| mvexpand recipient
| eval recipient=lower(recipient)
| lookup users email AS recipient OUTPUT id
| mvexpand id
| lookup users id OUTPUT type first last
If you provide sample jpg, more clearly.
Get Updates on the Splunk Community!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
