- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- SPL Can't do conditional statements after dealing ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My goals is to grab the computer name from the multi-value field: identities. I then want to take that new attribute and check whether it begins with LT or PC to determine if it is a workstation. I've had many searches trying to compose this.
index=opendns_s3 identities=* | eval computer=mvindex(identities, 2) | where computer="lt"
index=opendns_s3 identities=* | eval computer=mvindex(identities, 2) | eval workstation=if(computer == "lt*", "Workstation", "Not Workstation")
If there is a completely different approach that would be better suitable, I would encourage that.
Thank you for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@clozach if the identities field in your raw data is already a multi-valued field, your first requirement should work out of the box with the following query:
index=opendns_s3 identities="Lt*"
For second query if identities is really a multi-valued field and the 2 index (i.e. the third element in the multi-valued identities field as index starts from 0 not 1) is computer name, then the query should work. Is it possible that (1) Either identities is not multi-valued or (2) The value Lt* is not at third index of the multivalued field?
Following is a run anywhere search for the second SPL where commands from makeresults till fields - testdata generate dummy data and mvjoin() evaluation function is used to bring the values together as single value for eval to perform:
| makeresults
| eval testdata="Apple,Banana,Cat;Dog,Emu,Fish"
| makemv testdata delim=";"
| mvexpand testdata
| eval identities=split(testdata,",")
| fields - testdata
| eval identities=mvjoin(identities,",")
| eval computer=case(match(identities,"(?i)Ca"),"Workstation",
true(),"Non Workstation")
PS: match() evaluation function with (?i) performs case insensitive match.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@clozach if the identities field in your raw data is already a multi-valued field, your first requirement should work out of the box with the following query:
index=opendns_s3 identities="Lt*"
For second query if identities is really a multi-valued field and the 2 index (i.e. the third element in the multi-valued identities field as index starts from 0 not 1) is computer name, then the query should work. Is it possible that (1) Either identities is not multi-valued or (2) The value Lt* is not at third index of the multivalued field?
Following is a run anywhere search for the second SPL where commands from makeresults till fields - testdata generate dummy data and mvjoin() evaluation function is used to bring the values together as single value for eval to perform:
| makeresults
| eval testdata="Apple,Banana,Cat;Dog,Emu,Fish"
| makemv testdata delim=";"
| mvexpand testdata
| eval identities=split(testdata,",")
| fields - testdata
| eval identities=mvjoin(identities,",")
| eval computer=case(match(identities,"(?i)Ca"),"Workstation",
true(),"Non Workstation")
PS: match() evaluation function with (?i) performs case insensitive match.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
