Splunk Search

How to achieve conditional eval/searchmatch or subsearch result based on the value of another field?

mjones414
Contributor

I have a scenario where I am analyzing the format of a given string to determine what the name of the format is (e.g. UPN, Samaccount, etc)  From there, I am trying to do a conditional enrichment via lookup to determine more information about the user in question.  The trouble is I have 4 "potential" systems of record the account could come from, and different authoritative key/value pairs to uniquely identify the user.  The good news is there is at least one value in each of these systems of record that is the same thing, so I need to normalize that down.

My method of attacking this:
user=jimbob@joe.com
AccountType=(formula to determine "samact", "upn", or "other)

I have to use lookup because inputlookup does not appear to have any idea what $variables$ are in an eval statement.

SOR1_upn=if(AccountType = "upn", [makeresults count=1 |eval user=$user$ | lookup SOR1.csv userPrincipleName AS user | fields givenName |head 1|return $givenName], "")

I would have expected this to work using normal subsearch logic, so I dont know if its a problem using it with eval or if there is some additional escape character I should be providing.

Another method I thought of  for attacking this is just to create unique values for every possible outcome I want by  from the different SOR's with unique names, and then coalesce them all together but this seems like there should be a more elegant way to do this in splunk.  

In summary, Identify the type of account it is, check 4 different sors for the presence of that account, return a fixed set of values that should ideally all represent the same individual if they do exist in more than one place from each one, and then coalesce them together

Labels (2)
0 Karma

mjones414
Contributor

In the scenario explained above, I need to have a seperate lookup line for each of the potential format types I'm starting with outputting the other accompanying types that I need to identify which belong to the same individual.  In the solution provided for each SOR, thats basically 9 lookup calls per person (3 per SOR).  I think I was actually trying to simplify that, not overcomplicate it, since I can eval a new field telling me what format the event originates with.  🙂

Ultimately what I was looking for was the ability to run a search (to read the SOR lookup, it didnt HAVE to be a subsearch) that triggers on the THEN side of the IF statement in the evaluation.  It sounds like this may not be possible, so I will take the 9 lookup command approach.  I appreciate the assistance with this!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Subsearches are run before the outer search, so you cannot pass 'parameters' to the subsearch from the outer.

Not sure if I fully understood the explanation, but if you have 4 SORs then you could do something along the lines of

| lookup SOR1.csv userPrincipleName AS user OUTPUT givenName as gn_SOR1
| lookup SOR2.csv userPrincipleName AS user OUTPUT givenName as gn_SOR2
| lookup SOR3.csv userPrincipleName AS user OUTPUT givenName as gn_SOR3
| lookup SOR4.csv userPrincipleName AS user OUTPUT givenName as gn_SOR4
| eval givenName=coalesce(gn_SOR1, gn_SOR2, gn_SOR3, gn_SOR4)

as you allude to in your text.

 

PickleRick
SplunkTrust
SplunkTrust

+1 to this solution

If there is a more complicated logic to deciding which value to use, you can of course replace the coalesce with some nested ifs or something similar but the general idea stays - create four separate fields using four lookups and decide in the end which of those you'll use for the final destination field.

With this whole subsearch thing you seem to be hugely overcomplicating the problem. (Yes, you could probably solve this with some form of map command, but it would be soooooo ineffective that it's definitely not the way to go).

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...