Splunk Search

Splitting MultiValue Fields: appliedConditionalAccessPolicies{}*

fdevera
Path Finder

Hello,

I have some fields that have multiple values in them and I need to split them out into their own rows. The fields in question start with appliedConditionalAccessPolicies{}.*

I've tried a few things but no luck. I was looking at the other azuread signin apps and looks like I'm going to have to do this alot.

index=azuread sourcetype=ms:aad:signin appDisplayName="Microsoft Teams" 
|table alternateSignInName appliedConditionalAccessPolicies{}.conditionsNotSatisfied appliedConditionalAccessPolicies{}.conditionsSatisfied appliedConditionalAccessPolicies{}.displayName appliedConditionalAccessPolicies{}.enforcedGrantControls{} appliedConditionalAccessPolicies{}.enforcedSessionControls{} appliedConditionalAccessPolicies{}.id appliedConditionalAccessPolicies{}.result authenticationDetails{}.authenticationMethod authenticationDetails{}.authenticationStepDateTime authenticationDetails{}.authenticationStepRequirement authenticationDetails{}.authenticationStepResultDetail authenticationDetails{}.succeeded authenticationProcessingDetails{}.key authenticationProcessingDetails{}.value authenticationRequirement conditionalAccessStatus createdDateTime deviceDetail.browser deviceDetail.deviceId deviceDetail.displayName deviceDetail.isCompliant deviceDetail.isManaged deviceDetail.operatingSystem deviceDetail.trustType eventtype ipAddress location.city location.countryOrRegion location.geoCoordinates.latitude location.geoCoordinates.longitude location.state mfaDetail.authMethod resourceDisplayName riskState status.additionalDetails status.errorCode status.failureReason tenant userAgent userDisplayName userId userPrincipalName id correlationId resourceId originalRequestId
Tags (1)
0 Karma

to4kawa
Ultra Champion
 index=azuread sourcetype=ms:aad:signin appDisplayName="Microsoft Teams" 
| table _time alternateSignInName appliedConditionalAccessPolicies{}.*
| rename appliedConditionalAccessPolicies{}.* as *, *{} as *
| eval _counter=mvrange(0,mvcount(result))
| stats values(alternateSignInName) as _alternateSignInName list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| rename _* as *
| fields - counter
| table alternateSignInName *

I'd like to look at the log once.

0 Karma

fdevera
Path Finder

Even this wrong. I'm going nuts.

index=azuread sourcetype=ms:aad:signin appDisplayName="Microsoft Teams"
| eval tempField=mvzip(mvzip('appliedConditionalAccessPolicies{}.conditionsNotSatisfied','appliedConditionalAccessPolicies{}.conditionsSatisfied','appliedConditionalAccessPolicies{}.displayName','appliedConditionalAccessPolicies{}.enforcedGrantControls{}','appliedConditionalAccessPolicies{}.enforcedSessionControls{}','appliedConditionalAccessPolicies{}.id'),'appliedConditionalAccessPolicies{}.result')
 | stats count by _time, tempField 
 | eval 'appliedConditionalAccessPolicies{}.conditionsNotSatisfied'=mvindex(split(tempField,","),0), 
     'appliedConditionalAccessPolicies{}.conditionsSatisfied'=mvindex(split(tempField,","),1),
     'appliedConditionalAccessPolicies{}.displayName'=mvindex(split(tempField,","),2),
     'appliedConditionalAccessPolicies{}.enforcedGrantControls{}'=mvindex(split(tempField,","),3),
     'appliedConditionalAccessPolicies{}.enforcedSessionControls{}'=mvindex(split(tempField,","),4),
     'appliedConditionalAccessPolicies{}.id'=mvindex(split(tempField,","),5),
     'appliedConditionalAccessPolicies{}.result'=mvindex(split(tempField,","),6)
|table alternateSignInName appliedConditionalAccessPolicies{}.conditionsNotSatisfied appliedConditionalAccessPolicies{}.conditionsSatisfied appliedConditionalAccessPolicies{}.displayName appliedConditionalAccessPolicies{}.enforcedGrantControls{} appliedConditionalAccessPolicies{}.enforcedSessionControls{} appliedConditionalAccessPolicies{}.id appliedConditionalAccessPolicies{}.result
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...