Good morning fellow splunkers.
I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for those fields. For example, In a log, we have two fields labelled "Account Name", first one corresponding to computer account and second to user account. We use mvindex to assign labels appropriately. This works well for a known number of fields.
Now, we also have logs, with groups of fields: action, module and rule:
action: quarantine
module: access
rule: verified
action: execute
module: access
rule: verified
action: continue
module: access
rule: verified
action: reject
isFinal: true
module: pdr
rule: reject
I would like to use mvindex to label those so I can use those fileds more easily. In the example above, we have four groups of those fileds, thefore I wold have: action1, action2 etc (same for module and rule).
However, the number of groups changes. It could be one, two, three or more.
Is there any way to use mvindex dynamically somehow?
I imagine, we would have to first evaluate number of those fields (or group of fields) and then use mvindex to assign different labels?
Unless there is a different way to achieve our goal.
Many thnaks in advance for any advise.
Kind Regards,
Mike.
I recognize PPS logs 😉
But seriously - mvindex does not assign anything within a multivalued field. It picks one (or more) of the values from an mvfield.
As a general remark - multivalued fields are really tricky to work with and if you need to correlate between separate multivalued fields (and I suspect you're aiming at something like that)... this is not going to end well.
What is the busines case and the actual data? Maybe it can be dealt with differently?
EDIT: But yes, mvindex can be indexed with dynamically asigned values. A run-anywhere example:
| makeresults
| eval mv=mvappend("a1","a2","a3")
| eval index=mvfind(mv,"a2")
| eval value=mvindex(mv,index)
Good morning ITWhisperer,
Thank you very much for the prompt response.
The example I provided was for description purposes. The question is generally about using eval mvindex where number of fields (with the same name) changes depending on some circumstances.
For simplicity, lets presume we have some logs with "Action" field. The Action field may appear several times in a log, having different values. We do not know exactly how many Action fields we have in a particular event. As I said, it could be one, two three or even 10. That's the challenge. I need to be able to operate on those fileds, but each of them will represent differnt step:
Event 1:
Action: scan
Action: forward-sandbox
Action: Release
Action: Relay
Event2:
Action: scan
Action: Release
Action: Relay
Event3:
Action: scan
Action: Reject
In the example above, we have events containing Action fields. However, depending on the actions taken, number of those fields will vary. Therefore, it is difficult for me to use mvindex. I know how to use mvindex where number of fields with the same name or multivalued fields is known.
In our case, we do not know how many occurences of Action we have in a given event.
I hope this makes sense?
Kind Regards,
Mike.
mvcount will give you the number of values in a multivalue field - does that help?
Good morning ITWhisperer,
Many thanks for the suggestion. This might actually work. I could first evaluate number of fields and then use mvindex.
Will try that.
Again, many thank.
Kind Regards,
Mike.
It is not clear what your events look like although you have done a good job at describing the information in them. Please share some (anonymised) raw events (in a code block) so we can see what you are dealing with. Also, a representation of your desired output would be informative.