Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use lookup for whitelisting based on 2 columns?

izzie123
Path Finder
‎12-05-2022 03:20 AM

I have to whitelist fields based on 2 columns in a lookup, but the second column has multiple values.

So we have to whitelist based on the condition that the username and the destinations are in two fields in the same event.

In the event too, we have the field values(dest) so multiple destinations are in one cell.

The condition is that the user with those destinations should be whitelisted.

How can we achieve this?

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-06-2022 12:15 AM

Let me try to illustrate my understanding of the use case. You have a lookup, say whitelist, that contains two fields,

userdestination
user1dest1,dest2,dest3
user2dest1,dest3,dest4,dest5

You haven't described how the multiple values are separated, so I pick comma as separator. You haven't described which field to look up; I assume it is user, which also exist in events with the same field name.

If these assumptions are correct, the SPL to implement your requirement would be something like

| lookup whitelist user ``` assuming match field is user ```
| eval destination = split(destination, ",") ``` assuming comma as separator ```
| eval whitelisted = mvmap(destination, if(dest == destination, "yes", null()))
| where isnotnull(whitelisted)

If, on the other hand, multiple values in lookup is not separated by a character, but is from multilisting, like

userdestination
user1dest1
user2dest1
user1dest2
user2dest3
user1dest3
user2dest5

The output from lookup would have already been multivalued. In this case, you won't need that split, i.e.,

| lookup whitelist user ``` assuming match field is user ```
| eval whitelisted = mvmap(destination, if(dest == destination, "yes", null()))
| where isnotnull(whitelisted)

(The moral of the story: Be specific about inputs.)

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...