Splunk Search

using a search macro inside mvmap, missing )

Cyrus
Engager

Hi Community - I'm trying to extend the Levenshtein distance query in this tutorial: https://www.splunk.com/en_us/blog/tips-and-tricks/you-can-t-hyde-from-dr-levenshtein-when-you-use-ur....

Specifically, I'm trying to evaluate the Levenshtein distance of an email domain against multiple comparison domains on one line, with the resulting values going into a multivalue field. I tried doing this with mvmap:

| eval lev=mvmap(inspect_domains, `ut_levenshtein(ut_domain, inspect_domains)`)

Where inspect_domains is the multivalue field containing comparative domains, and ut_levenshtein is a search macro in the URL Toolbox app .

This returns an error: "Error in 'eval' command: The expression is malformed. Expected ). "
To my eye, the parentheses appear to be balanced. I nevertheless tried adding or removing parentheses to try to make Splunk happy, but no combination of parentheses seems to work

Any ideas?

Labels (1)
0 Karma

ryanoconnor
Builder

I don't think mvmap is going to work in that context based on the contents of that specific macro. 

Can you give this SPL a shot? It's not one line, but it's close and should still get you where you need to go. Unless there is a specific reason it needs to be a one-liner. 

| makeresults 
| eval ut_domain="mycampany.com" 
| append 
    [| makeresults 
    | eval ut_domain="mycempany.com" ] 
| mvcombine ut_domain
| eval company_domain ="mycompany.com" 
| fields - _time
| mvexpand ut_domain
|`ut_levenshtein(company_domain, ut_domain)`

 

Cyrus
Engager

Thank you for taking the time to respond. That didn't quite work, but it gave me the idea for a rough solution: by using mvappend to join together all of the email domains I want to inspect against, followed immediately by an mvexpand to generate separate line items per event per domain, I can run the ut_levenshtein macro against everything.

| eval inspect_domains=mvappend("yahoo.com", "google.com", "outlook.com")
| mvexpand inspect_domains
| `ut_levenshtein(sender_domain, inspect_domains)`

Not very elegant and may not scale, but it works well enough for now. Thanks again.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...