Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multi-value field how to match condition in case statement

bestSplunker
Contributor
‎04-10-2019 11:21 PM

hello everyone

I am analyzing the mail tracking log for Exchange.I divide the type of sendemail into 3 types.

@abc.com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field.I want to use the case statement to achieve the following conditional judgments. src_user is the sender of the email, it is always a single value field

if recipient contain @abc.com (for example: abc@abc.com or test@abc.com;admin@abc.com) email domain then action is sendemail to internal
if recipient not contain @abc.com (for example: test@google.com or test@google.com;admin@yahoo.com) then action is sendemail to external
if recipient contain @abc.com or include a domain name other than @abc.com (for example: test@abc.com ; admin@google.com) then action is sendemail to internal and external

At the same time, I hope it supports a comprehensive judgment of multiple conditions.

for example

if src_user = "*@abc.com" and recipient contain @abc.com then action is sendemail from internal to internal

So I don't know how to match multivalued fields. I tried to use LIKE and = not working properly

alt text

Tags (1)
Preview file
9 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎04-11-2019 12:47 AM

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎04-11-2019 12:47 AM

Here is an example solution: (first line is only generating your sample input to have it run as a cut and paste example)

| makeresults | eval recipient="abc@abc.com%abc@abc.com,test@abc.com%google@google.com%google@google.com,yahoo@yahoo.com%abc@abc.com,google@google.com" | makemv delim="%" recipient | mvexpand recipient | makemv delim="," recipient
| eval no_rec=mvcount(recipient), no_match=mvcount(mvfilter(match(recipient, "@abc\.com$")))
| eval action=case(no_match=no_rec, "sendemail to internal", no_match<no_rec, "sendemail to internal and external", true(), "sendemail to external")
| table recipient, action

Hth,
-Kai.

0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-11-2019 02:25 AM

thank you! You're awesome!!!!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2019 12:34 AM

@bestSplunker pipe the following to your existing search results to break each multivalue field to separate event as separate row 

| mvexpand recipent

Then you can add logic to forward to internal and external as per your logic. Please let us know if you need help with this logic as well. Or something does not work!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-11-2019 12:43 AM

@niketnilay Do I have to convert multiple values to single values?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...