Splunk Enterprise Security

match field value with multi-field value

Path Finder

I have result in one field from the lookup and also result in second field(multivalue results) from lookup.

Accessed group = 1
Allowed group=1

So if any value match with allowed group then it should not trigger.

0 Karma


Append this to your query,

...| eval allowed = if(like(allowed_group, “%”.accessed_group.”%”), “yes”, “no”)

It will check, if values of accessed_group is present in allowed_group or not.

Accept the answer if it helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!