Splunk Search

How to achieve conditional eval/searchmatch or subsearch result based on the value of another field?


I have a scenario where I am analyzing the format of a given string to determine what the name of the format is (e.g. UPN, Samaccount, etc)  From there, I am trying to do a conditional enrichment via lookup to determine more information about the user in question.  The trouble is I have 4 "potential" systems of record the account could come from, and different authoritative key/value pairs to uniquely identify the user.  The good news is there is at least one value in each of these systems of record that is the same thing, so I need to normalize that down.

My method of attacking this:
AccountType=(formula to determine "samact", "upn", or "other)

I have to use lookup because inputlookup does not appear to have any idea what $variables$ are in an eval statement.

SOR1_upn=if(AccountType = "upn", [makeresults count=1 |eval user=$user$ | lookup SOR1.csv userPrincipleName AS user | fields givenName |head 1|return $givenName], "")

I would have expected this to work using normal subsearch logic, so I dont know if its a problem using it with eval or if there is some additional escape character I should be providing.

Another method I thought of  for attacking this is just to create unique values for every possible outcome I want by  from the different SOR's with unique names, and then coalesce them all together but this seems like there should be a more elegant way to do this in splunk.  

In summary, Identify the type of account it is, check 4 different sors for the presence of that account, return a fixed set of values that should ideally all represent the same individual if they do exist in more than one place from each one, and then coalesce them together

Labels (2)
0 Karma


In the scenario explained above, I need to have a seperate lookup line for each of the potential format types I'm starting with outputting the other accompanying types that I need to identify which belong to the same individual.  In the solution provided for each SOR, thats basically 9 lookup calls per person (3 per SOR).  I think I was actually trying to simplify that, not overcomplicate it, since I can eval a new field telling me what format the event originates with.  🙂

Ultimately what I was looking for was the ability to run a search (to read the SOR lookup, it didnt HAVE to be a subsearch) that triggers on the THEN side of the IF statement in the evaluation.  It sounds like this may not be possible, so I will take the 9 lookup command approach.  I appreciate the assistance with this!

0 Karma


Subsearches are run before the outer search, so you cannot pass 'parameters' to the subsearch from the outer.

Not sure if I fully understood the explanation, but if you have 4 SORs then you could do something along the lines of

| lookup SOR1.csv userPrincipleName AS user OUTPUT givenName as gn_SOR1
| lookup SOR2.csv userPrincipleName AS user OUTPUT givenName as gn_SOR2
| lookup SOR3.csv userPrincipleName AS user OUTPUT givenName as gn_SOR3
| lookup SOR4.csv userPrincipleName AS user OUTPUT givenName as gn_SOR4
| eval givenName=coalesce(gn_SOR1, gn_SOR2, gn_SOR3, gn_SOR4)

as you allude to in your text.



+1 to this solution

If there is a more complicated logic to deciding which value to use, you can of course replace the coalesce with some nested ifs or something similar but the general idea stays - create four separate fields using four lookups and decide in the end which of those you'll use for the final destination field.

With this whole subsearch thing you seem to be hugely overcomplicating the problem. (Yes, you could probably solve this with some form of map command, but it would be soooooo ineffective that it's definitely not the way to go).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...