Splunk Enterprise Security

match field value with multi-field value

Path Finder

I have result in one field from the lookup and also result in second field(multivalue results) from lookup.

Accessed group = 1
Allowed group=1
=2

So if any value match with allowed group then it should not trigger.

0 Karma

Append this to your query,

...| eval allowed = if(like(allowed_group, “%”.accessed_group.”%”), “yes”, “no”)

It will check, if values of accessed_group is present in allowed_group or not.

Accept the answer if it helps.

0 Karma