How do you enforce a lookup match for all values o...

Murali2888 · ‎02-04-2019

I have a multivalue field in my events and I want to do a lookup against a multivalue field in kvstore field. Event field can either have all values of kvstore mv field or a subset of it. Existing lookup command matches at least one of the values. I want to enforce a match only if all values are present in the kvstore field.

kvstorefieldA
A1 A2 A3
B1 B2 B3 B4 B5

event fieldX
A1 A2 A3
A1 A4

How can I enforce that only the first value of fieldX matches and the second does not?

woodcock · ‎02-13-2019

You cannot directly but you can easily adjust your situation to make it work. First fix your lookup with this search:

|inputlookup YourLookupHere
| stats values(kvstorefieldA) AS kvstorefieldA BY Your Other Field Names Here
| nomv kvstorefieldA
| outputlookup YourLookupHere

Now adjust your search like this:

Your Search Stuff
| eval kvstorefieldA=mvdedup(mvsort(kvstorefieldA))
| nomv kvstorefieldA
| lookup YourLookupHere kvstorefieldA

The nomv command flattens the mulit-valued field into a space-delimited single-value field.

How do you enforce a lookup match for all values of a multivalue field?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?