How to compare the value of a field (search) with ...

christianubeda · ‎11-26-2020

Hello team!

I would like to ask you a question since I have been thinking about it for a while and I am not getting it

I want to compare the user field of my search with the REGISTER field of my csv. The problem is that I have to adapt the user field first to be similar to REGISTER

I have tried with

search | eval user=split(user,"\\") | lookup csvfile.csv REGISTRO as usern | values(user) .... | where user=usern

Can`t with inputlook cause I have to | eval user=split(user,"\\") first

[| inputlookup csvfile.csv
| rename REGISTRO as usern
| fields usern]

user field is like aaaa111

and REGISTER is like XXX\aaaa111

Thank you!

rupkumar4sec · ‎12-03-2020

@christianubeda
If your user field is like “aaaa111” and REGISTER is like “XXX\aaaa111”, why are you splitting user field? If what I understood is correct, your eval should be on the lookup field(Register).

inventsekar · ‎11-26-2020

Hi @christianubeda ... i am not much clear of your issue..

but i can try to edit this query...

search  | eval user=split(user,"\\")  |  lookup csvfile.csv REGISTRO as usern | values(user) .... | where user=usern 

should be / could be ....

base-search  | eval user=split(user,"\\")  | join [lookup csvfile.csv REGISTRO as usern] | stats values(user) AS UserNames .... | where user=usern

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How to compare the value of a field (search) with the value of a csv field when you have to adapt a field first

eval

lookup

search job inspector

stats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?