Splunk Search

Dynamic eval mvindex.

BoscoBaracus
Loves-to-Learn Lots

Good morning fellow splunkers.

I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for those fields. For example, In a log, we have two fields labelled "Account Name", first one corresponding to computer account and second to user account. We use mvindex to assign labels appropriately. This works well for a known number of fields.

Now, we also have logs, with groups of fields: action, module and rule:

         actionquarantine
         moduleaccess
         ruleverified

   
         actionexecute
         moduleaccess
         ruleverified

   
         actioncontinue
         moduleaccess
         ruleverified

      
         actionreject
         isFinaltrue
         modulepdr
         rulereject

I would like to use mvindex to label those so I can use those fileds more easily. In the example above, we have four groups of those fileds, thefore I wold have: action1, action2 etc (same for module and rule).

However, the number of groups changes. It could be one, two, three or more.

Is there any way to use mvindex dynamically somehow?

I imagine, we would have to first evaluate number of those fields (or group of fields) and then use mvindex to assign different labels?

Unless there is a different way to achieve our goal.

Many thnaks in advance for any advise.

Kind Regards,

Mike.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I recognize PPS logs 😉

But seriously - mvindex does not assign anything within a multivalued field. It picks one (or more) of the values from an mvfield.

As a general remark - multivalued fields are really tricky to work with and if you need to correlate between separate multivalued fields (and I suspect you're aiming at something like that)... this is not going to end well.

What is the busines  case and the actual data? Maybe it can be dealt with differently?

EDIT: But yes, mvindex can be indexed with dynamically asigned values. A run-anywhere example:

| makeresults 
| eval mv=mvappend("a1","a2","a3")
| eval index=mvfind(mv,"a2")
| eval value=mvindex(mv,index)

 

0 Karma

BoscoBaracus
Loves-to-Learn Lots

Good morning ITWhisperer,

Thank you very much for the prompt response.

The example I provided was for description purposes. The question is generally about using eval mvindex where number of fields (with the same name) changes depending on some circumstances.

For simplicity, lets presume we have some logs with "Action" field. The Action field may appear several times in a log, having different values. We do not know exactly how many Action fields we have in a particular event. As I said, it could be one, two three or even 10. That's the challenge. I need to be able to operate on those fileds, but each of them will represent differnt step:

Event 1:

Action: scan

Action: forward-sandbox

Action: Release

Action: Relay

 

Event2:

Action: scan

Action: Release

Action: Relay

 

Event3:

Action: scan

Action: Reject

 

In the example above, we have events containing Action fields. However, depending on the actions taken, number of those fields will vary. Therefore, it is difficult for me to use mvindex. I know how to use mvindex where number of fields with the same name or multivalued fields is known.

 

In our case, we do not know how many occurences of Action we have in a given event.

 

I hope this makes sense?

 

Kind Regards,

 

Mike.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

mvcount will give you the number of values in a multivalue field - does that help?

0 Karma

BoscoBaracus
Loves-to-Learn Lots

Good morning ITWhisperer,

Many thanks for the suggestion. This might actually work. I could first evaluate number of fields and then use mvindex.

Will try that.

Again, many thank.

Kind Regards,

Mike.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what your events look like although you have done a good job at describing the information in them. Please share some (anonymised) raw events (in a code block) so we can see what you are dealing with. Also, a representation of your desired output would be informative.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...