Compare a field with a single string against a Mul...

JRamirezEnosys · ‎07-22-2021

My use case is the following, I have login information regarding which ASN a user logged in today on the field ASN and data from the authentication datamodel, which gives me a "list" of ASNs "values(ASN)" AS Multi_ASN

I was trying to use an eval to get a YES or NO answer, if the user have login from these ASNs. There was a lot of pain trying to get the command correct, but I ended up using this eval for this type of data

ASN = A1234
Multi_ASN = A1234 A2345 A3456

| eval Logged_before_from_ASN=if(IN(ASN, (split(Multi_ASN," "))) , "YES", "NO")

So the split divides the values in Multi_ASN and that is compared by the "if(IN(" but unfortunately there is no highlighting for "IN"

Any recommendations?

This eval is working but I wonder if there is a better way to do this

kamlesh_vaghela · ‎07-22-2021

@JRamirezEnosys

Correction in your search.

| eval Logged_before_from_ASN=if(split(m_asn," ")=asn, "YES", "NO")

My Sample Search :

| makeresults 
| eval m_asn="A1234 A2345 A3456" , asn="A1234"
| eval Logged_before_from_ASN=if(split(m_asn," ")=asn, "YES", "NO")

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

venkatasri · ‎07-22-2021

Hi @JRamirezEnosys

Can you try this, this works.

| makeresults 
| eval m_asn="A1234 A2345 A3456" , asn="A1234"
| makemv delim=" " m_asn 
| eval result=if(asn == m_asn, "YES", "NO")

---

An upvote would be appreciated and Accept solution if this reply helps!

Compare a field with a single string against a Multi Field String

eval

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!