Splunk Search

Nested case -> match within mvjoin

Dworsnop
Path Finder

Hello, I'm trying to create an multi-value field 'category' which takes its value from a 'case(match(' that queries a users AD group membership and returns the category value based on the memberOf field; see below.

... | eval category=mvjoin(case(match(memberOf, "(?i)^.*?CN\={employee AD group}\,?.+"),"employee",match(memberOf, "(?i)^.*?CN\={domain admins AD group}\,?.+"),"privileged",match(memberOf, "(?i)^.*?CN\={restricted internet AD group}\,?.+"),"rest_int"), "|")

For some reason though the final 'category' field only ever contains one value, despite some users being in more than one of the AD groups. mvappend doesn't work either.

0 Karma
1 Solution

Dworsnop
Path Finder

Not to worry folks, I just did it this way...

| eval cat1=case(match(memberOf, "(?i)^.?CN={employee AD group}\,?.+"),"employee")
| eval cat2=case(match(memberOf, "(?i)^.
?CN={domain admins AD group}\,?.+"),"privileged")
| eval cat3=case(match(memberOf, "(?i)^.*?CN={restricted internet AD group}\,?.+"),"rest_int")
| eval category=mvappend(cat1,cat2,cat3)

A bit more convoluted than I'd hoped but it works.

View solution in original post

0 Karma

Dworsnop
Path Finder

Not to worry folks, I just did it this way...

| eval cat1=case(match(memberOf, "(?i)^.?CN={employee AD group}\,?.+"),"employee")
| eval cat2=case(match(memberOf, "(?i)^.
?CN={domain admins AD group}\,?.+"),"privileged")
| eval cat3=case(match(memberOf, "(?i)^.*?CN={restricted internet AD group}\,?.+"),"rest_int")
| eval category=mvappend(cat1,cat2,cat3)

A bit more convoluted than I'd hoped but it works.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You should at least UpVote @richgalloway because he lead you directly to the answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The case command only matches once so there will only be a single value to pass to mvjoin.

---
If this reply helps you, an upvote would be appreciated.

Dworsnop
Path Finder

Ah okay, thanks.

Any suggestions on how I can accomplish my goal?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!