Solved: Re: Multi-value field how to match condition in ca...

bestSplunker · ‎04-10-2019

hello everyone

I am analyzing the mail tracking log for Exchange.I divide the type of sendemail into 3 types.

@abc.com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field.I want to use the case statement to achieve the following conditional judgments. src_user is the sender of the email, it is always a single value field

if recipient contain @abc.com (for example: abc@abc.com or test@abc.com;admin@abc.com) email domain then action is sendemail to internal
if recipient not contain @abc.com (for example: test@google.com or test@google.com;admin@yahoo.com) then action is sendemail to external
if recipient contain @abc.com or include a domain name other than @abc.com (for example: test@abc.com ; admin@google.com) then action is sendemail to internal and external

At the same time, I hope it supports a comprehensive judgment of multiple conditions.

for example

if src_user = "*@abc.com" and recipient contain @abc.com then action is sendemail from internal to internal

So I don't know how to match multivalued fields. I tried to use LIKE and = not working properly

knielsen · ‎04-11-2019

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

View solution in original post

knielsen · ‎04-11-2019

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

bestSplunker · ‎04-11-2019

thank you! You're awesome!!!!

niketn · ‎04-11-2019

@bestSplunker pipe the following to your existing search results to break each multivalue field to separate event as separate row

| mvexpand recipent

Then you can add logic to forward to internal and external as per your logic. Please let us know if you need help with this logic as well. Or something does not work!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

bestSplunker · ‎04-11-2019

@niketnilay Do I have to convert multiple values to single values?

Multi-value field how to match condition in case statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation