Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extracting a multivalue key-value pair to mult...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting a multivalue key-value pair to multivalue field for lookup
egrzeszczak
Loves-to-Learn Everything
01-09-2024
05:21 AM
Hello,
As I want to get my email events CIM compliant, I have trouble parsing a "disposition" key-value pair.
Example:
Having an event:
date=2024-01-09 time=11:59:43.258 device_id=XXXXXXXXXXXXXX log_id=0200012329 type=statistics pri=information session_id="4XXXXXXXXXXX-4XXXXXXXXXXXXX" client_name="example.com" disposition="Modify Subject;Insert Disclaimer;Defer Disposition" classifier="Data Loss Prevention" message_length="94756" subject="Test subject" message_id="xxxxxxxxxxxxxxxxxxxx@example.com" recv_time="" notif_delay="0" scan_time="0.186489" xfer_time="0.002166" srcfolder="" read_status="
I have disposition field extracted at search-time with the value "Modify Subject;Insert Disclaimer;Defer Disposition"
Want I need to do is to separate the values into a multivalue field, and then use a lookup to determine the action.
Lookup file:
vendor_action,action
Accept,delivered
Reject,blocked
Add Header,delivered
Modify Subject,
Quarantine,quarantined
Discard,blocked
Replace,
Delay,
Rewrite,
Insert Disclaimer,
Defer Disposition,delivered
Disclaimer Body,delivered
Disclaimer Header,delivered
Defer,
Quarantine to Review,quarantined
Content Filter as Spam,
Encrypt,
Decrypt,
Alternate Host,
BCC,
Archive,
Customized repackage,
Repackage,
Notification,
In the end, the event should have a field named action, and the value should for this example be delivered
My props.conf:
[fortimail]
...
...
LOOKUP-action = fortimail_action_lookup.csv vendor_action as disposition OUTPUT action
REPORT-disposition = disposition_extraction
My transforms.conf:
[disposition_extraction]
SOURCE_KEY = disposition
DELIMS = ";"
MV_ADD = true
But eventually i just end up with the original value ("Modify Subject;Insert Disclaimer;Defer Disposition") and it doesn't get separated
What am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egrzeszczak
Loves-to-Learn Everything
01-09-2024
05:47 AM
After a while I solved my problem with a EVAL statement 🙂
My props.conf is now:
...
...
EVAL-disposition_split = split(disposition, ";")
LOOKUP-action = fortimail_action_lookup.csv vendor_action AS disposition_split OUTPUT action
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
