Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve conditional eval/searchmatch or subsearch result based on the value of another field?

mjones414
Contributor
‎07-06-2022 07:38 AM

I have a scenario where I am analyzing the format of a given string to determine what the name of the format is (e.g. UPN, Samaccount, etc)  From there, I am trying to do a conditional enrichment via lookup to determine more information about the user in question.  The trouble is I have 4 "potential" systems of record the account could come from, and different authoritative key/value pairs to uniquely identify the user.  The good news is there is at least one value in each of these systems of record that is the same thing, so I need to normalize that down.

My method of attacking this:
user=jimbob@joe.com
AccountType=(formula to determine "samact", "upn", or "other)

I have to use lookup because inputlookup does not appear to have any idea what $variables$ are in an eval statement.

SOR1_upn=if(AccountType = "upn", [makeresults count=1 |eval user=$user$ | lookup SOR1.csv userPrincipleName AS user | fields givenName |head 1|return $givenName], "")

I would have expected this to work using normal subsearch logic, so I dont know if its a problem using it with eval or if there is some additional escape character I should be providing.

Another method I thought of  for attacking this is just to create unique values for every possible outcome I want by  from the different SOR's with unique names, and then coalesce them all together but this seems like there should be a more elegant way to do this in splunk.  

In summary, Identify the type of account it is, check 4 different sors for the presence of that account, return a fixed set of values that should ideally all represent the same individual if they do exist in more than one place from each one, and then coalesce them together

Labels (2)
Labels
0 Karma
Reply

mjones414
Contributor
‎07-14-2022 02:02 PM

In the scenario explained above, I need to have a seperate lookup line for each of the potential format types I'm starting with outputting the other accompanying types that I need to identify which belong to the same individual.  In the solution provided for each SOR, thats basically 9 lookup calls per person (3 per SOR).  I think I was actually trying to simplify that, not overcomplicate it, since I can eval a new field telling me what format the event originates with.  🙂

Ultimately what I was looking for was the ability to run a search (to read the SOR lookup, it didnt HAVE to be a subsearch) that triggers on the THEN side of the IF statement in the evaluation.  It sounds like this may not be possible, so I will take the 9 lookup command approach.  I appreciate the assistance with this!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-06-2022 04:33 PM

Subsearches are run before the outer search, so you cannot pass 'parameters' to the subsearch from the outer.

Not sure if I fully understood the explanation, but if you have 4 SORs then you could do something along the lines of

| lookup SOR1.csv userPrincipleName AS user OUTPUT givenName as gn_SOR1
| lookup SOR2.csv userPrincipleName AS user OUTPUT givenName as gn_SOR2
| lookup SOR3.csv userPrincipleName AS user OUTPUT givenName as gn_SOR3
| lookup SOR4.csv userPrincipleName AS user OUTPUT givenName as gn_SOR4
| eval givenName=coalesce(gn_SOR1, gn_SOR2, gn_SOR3, gn_SOR4)

as you allude to in your text.

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 02:01 AM

+1 to this solution

If there is a more complicated logic to deciding which value to use, you can of course replace the coalesce with some nested ifs or something similar but the general idea stays - create four separate fields using four lookups and decide in the end which of those you'll use for the final destination field.

With this whole subsearch thing you seem to be hugely overcomplicating the problem. (Yes, you could probably solve this with some form of map command, but it would be soooooo ineffective that it's definitely not the way to go).

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...