Splunk Enterprise

How to set a flag in splunk using lookup.

hrs2019
Path Finder

Hello everyone,

i am trying to achieve below logic
| set a flag called <adminuser> if current user ID is present in lookup (in the lookup 4 name is there AAP1 APP2 AAP3)
| if adminuser is False, then filter where Requestor in event is <current user ID> else do not filter
|table "Requested Date" "ID" "Requestor" "MD" "SM" "SL" Status

My XML code is

 

index=* sourcetype="testapp" |eval split=split(Requestor, "@"), Requestor=mvindex(split, 0)
| eval "Requested Date" = strftime(_time,"%Y-%m-%d %H:%M:%S")
| Get current user ID = (| rest /services/authentication/current-context splunk_server=local | rename username as Requestor |eval split=split(Requestor, "@"), Requestor=mvindex(split, 0))
| set a flag called <adminuser> if current user ID is present in lookup (in the lookup 4 name is there AAP1 APP2 AAP3)
| if adminuser is False, then filter where Requestor in event is <current user ID> else do not filter
|table "Requested Date" "ID" "Requestor" "MD" "SM"  "SL"  Status

 

@niketnilay  do you have any idea how to achieve  the above logic

Labels (1)
0 Karma