Re: Help with Logic when a multivalue field appear...

Esky73 · ‎05-18-2022

I have some events coming in that use a lookup to resolve to an action eg :

Block,block,not sent = blocked

tagged, delivered, logged = delivered

Occasionally a multivalue field appears such as :

Tagged

Logged

OR

Tagged

Block

the Logic should be :

Tagged Logged = delivered

Tagged Block = Block

Trying to figure out how to add this logic to utilise the lookup.

Played around with nomv which creates a single value field but adds a \n so the value becomes : Tagged\nLogged

But then i need to do do a sedcmd to remove the \n and then add the result to the lookup to resolve the desired action.

Is there a better approach in this scenario ?

thx

gcusello · ‎05-18-2022

Hi @Esky73,

the action you are describing is called normalization and it's usually done to normalize logs to CIM compliance.

At first I hint to see if there's an Add-on that already made normalization for your logs, if there isn't I hint to use calculated fields, e.g. something like this:

| eval action=case(action="Block","blocked",action="block","blocked",action="not sent","blocked",action="tagged","delivered", action="delivered","delivered", action="logged","delivered")

About the multivalue, see if it's possible to extract fields in a different way or use "like" in the above condition.

Ciao.

Giuseppe

Help with Logic when a multivalue field appears: How to utilise lookup?

field extraction

fields

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?