Splunk Search

Conditional Eval based on value in the field

abhisheks2412
New Member

I am trying to use transaction command to correlate two event types. I need to correlate events based on value in "id" part of the following searches.
Search 1:- event=A somefield=job_type-id
For Eg:- event=end somefield=job1-AAAAAAAAA
Search 2:- event=B job_type=id
For Eg:- event=start job1=AAAAAAAAA
Can contain multiple job_types in single event

Search 1 can contain 4 different types of "job_type", like, job1, job2, job3 and job4. Search 1 will only contain one "job_type" for any given event. Value of "id" is not extracted in any field.
Search 2 contains the above 4 types of jobs with corresponding "id". But, few Search 2 events can have multiple job_types. For Eg:- event=start job1=AAAAAAAAA job2=BBBBBBBB

I am using following transaction search,

(Search 1) OR (Search 2)
| rex somefield=(?>type>\w+\d)-(?>id>.*)
| eval newfield=if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| transaction newfield keepevicted=true maxspan=1m
| where eventcount < 2
| table _raw type id

Above search works fine, but when Search 1 contains job3 as job_type and Search 2 contains job1 and job3. It does not correlates events. This is expected as in "eval" condition job1 is given preference.

I wanted to know if there is a way to reorder the "eval" condition based on job_type in Search 1, something like below (it does not works),

| eval a = if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval b = if(len(id)>0,id,if(len(job2)>0,job2,if(len(job1)>0,job1,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval c = if(len(id)>0,id,if(len(job3)>0,job3,if(len(job2)>0,job2,if(len(job1)>0,job1,if(job4)>0,job4,""))))
| eval d = if(len(id)>0,id,if(len(job4)>0,job4,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job1)>0,job1,""))))
| eval newfield=case(
type=job1, a,
type=job2, b,
type=job3, c,

type=job4, d,
1 == 1, "NULL"
)

0 Karma

Richfez
SplunkTrust
SplunkTrust

So, if I'm reading this correctly...

In event 2, which job do you want to match on?

Could you provide samples of the four possible styles of events for each of search 1 and search 2? Obviously, redact information that shouldn't get out, but also keep in mind we're data people - we can read data and also sometimes if you obfuscate too well we "lose sight of what it is you are doing". Also, most information isn't as secret as people think. 🙂

0 Karma

ddrillic
Ultra Champion

The case command can help here.

Something in the spirit of eval a = case (len(id) > 0,id, len(job1) > 0, job1, .......

0 Karma

abhisheks2412
New Member

I tried with case as well, but does not help.

0 Karma
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...