Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use lookup for whitelisting based on 2 columns?

izzie123
Path Finder
‎12-05-2022 03:20 AM

I have to whitelist fields based on 2 columns in a lookup, but the second column has multiple values.

So we have to whitelist based on the condition that the username and the destinations are in two fields in the same event.

In the event too, we have the field values(dest) so multiple destinations are in one cell.

The condition is that the user with those destinations should be whitelisted.

How can we achieve this?

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-06-2022 12:15 AM

Let me try to illustrate my understanding of the use case. You have a lookup, say whitelist, that contains two fields,

userdestination
user1dest1,dest2,dest3
user2dest1,dest3,dest4,dest5

You haven't described how the multiple values are separated, so I pick comma as separator. You haven't described which field to look up; I assume it is user, which also exist in events with the same field name.

If these assumptions are correct, the SPL to implement your requirement would be something like

| lookup whitelist user ``` assuming match field is user ```
| eval destination = split(destination, ",") ``` assuming comma as separator ```
| eval whitelisted = mvmap(destination, if(dest == destination, "yes", null()))
| where isnotnull(whitelisted)

If, on the other hand, multiple values in lookup is not separated by a character, but is from multilisting, like

userdestination
user1dest1
user2dest1
user1dest2
user2dest3
user1dest3
user2dest5

The output from lookup would have already been multivalued. In this case, you won't need that split, i.e.,

| lookup whitelist user ``` assuming match field is user ```
| eval whitelisted = mvmap(destination, if(dest == destination, "yes", null()))
| where isnotnull(whitelisted)

(The moral of the story: Be specific about inputs.)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...