Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multi-value field how to match condition in case statement

bestSplunker
Contributor
‎04-10-2019 11:21 PM

hello everyone

I am analyzing the mail tracking log for Exchange.I divide the type of sendemail into 3 types.

@abc.com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field.I want to use the case statement to achieve the following conditional judgments. src_user is the sender of the email, it is always a single value field

if recipient contain @abc.com (for example: abc@abc.com or test@abc.com;admin@abc.com) email domain then action is sendemail to internal
if recipient not contain @abc.com (for example: test@google.com or test@google.com;admin@yahoo.com) then action is sendemail to external
if recipient contain @abc.com or include a domain name other than @abc.com (for example: test@abc.com ; admin@google.com) then action is sendemail to internal and external

At the same time, I hope it supports a comprehensive judgment of multiple conditions.

for example

if src_user = "*@abc.com" and recipient contain @abc.com then action is sendemail from internal to internal

So I don't know how to match multivalued fields. I tried to use LIKE and = not working properly

alt text

Tags (1)
Preview file
9 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎04-11-2019 12:47 AM

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎04-11-2019 12:47 AM

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-11-2019 02:25 AM

thank you! You're awesome!!!!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2019 12:34 AM

@bestSplunker pipe the following to your existing search results to break each multivalue field to separate event as separate row 

| mvexpand recipent

Then you can add logic to forward to internal and external as per your logic. Please let us know if you need help with this logic as well. Or something does not work!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-11-2019 12:43 AM

@niketnilay Do I have to convert multiple values to single values?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...