Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Substituting values from MV fields?

szabados
Communicator
‎04-03-2017 08:00 AM

In Enterprise Security, for a drill down action I want to use a field from the notable events, which can have multi valued fields as well.

In this case, if I simply do my_field_in_the_search=$myfield_in_the_notable$ in the drilldown search, the values are presented as follows:

my_field_in_the_search=value1,value2,value3

It cannot be used like this obviously, I would like to achieve something like

my_field_in_the_search=value1 OR my_field_in_the_search=value2, etc...

Is it possible to do this somehow?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-03-2017 03:01 PM

It seems a bit much to have to do, but this would work, as long as some value is selected...

Instead of ...

  index=foo my_field_in_the_search=$myfield_in_the_notable$

...you could code the search...

 index=foo [| makeresults |eval my_field_in_the_search=$myfield_in_the_notable$ | makemv delim="," my_field_in_the_search | mvexpand my_field_in_the_search | table my_field_in_the_search | format]

And the format command will turn it into ...

((my_field_in_the_search=value1) OR (my_field_in_the_search=value2)....)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-03-2017 03:01 PM

It seems a bit much to have to do, but this would work, as long as some value is selected...

Instead of ...

  index=foo my_field_in_the_search=$myfield_in_the_notable$

...you could code the search...

 index=foo [| makeresults |eval my_field_in_the_search=$myfield_in_the_notable$ | makemv delim="," my_field_in_the_search | mvexpand my_field_in_the_search | table my_field_in_the_search | format]

And the format command will turn it into ...

((my_field_in_the_search=value1) OR (my_field_in_the_search=value2)....)
0 Karma
Reply
Solved! Jump to solution

szabados
Communicator
‎04-06-2017 04:06 AM

This is great, thanks!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...