Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using a search macro inside mvmap, missing )

Cyrus
Engager
‎10-20-2021 04:25 PM

Hi Community - I'm trying to extend the Levenshtein distance query in this tutorial: https://www.splunk.com/en_us/blog/tips-and-tricks/you-can-t-hyde-from-dr-levenshtein-when-you-use-ur....

Specifically, I'm trying to evaluate the Levenshtein distance of an email domain against multiple comparison domains on one line, with the resulting values going into a multivalue field. I tried doing this with mvmap:

| eval lev=mvmap(inspect_domains, `ut_levenshtein(ut_domain, inspect_domains)`)

Where inspect_domains is the multivalue field containing comparative domains, and ut_levenshtein is a search macro in the URL Toolbox app .

This returns an error: "Error in 'eval' command: The expression is malformed. Expected ). "
To my eye, the parentheses appear to be balanced. I nevertheless tried adding or removing parentheses to try to make Splunk happy, but no combination of parentheses seems to work

Any ideas?

Labels (1)
Labels
0 Karma
Reply

ryanoconnor
Builder
‎10-21-2021 07:31 PM

I don't think mvmap is going to work in that context based on the contents of that specific macro. 

Can you give this SPL a shot? It's not one line, but it's close and should still get you where you need to go. Unless there is a specific reason it needs to be a one-liner. 

| makeresults 
| eval ut_domain="mycampany.com" 
| append 
    [| makeresults 
    | eval ut_domain="mycempany.com" ] 
| mvcombine ut_domain
| eval company_domain ="mycompany.com" 
| fields - _time
| mvexpand ut_domain
|`ut_levenshtein(company_domain, ut_domain)`

 

Reply

Cyrus
Engager
‎10-24-2021 12:36 PM

Thank you for taking the time to respond. That didn't quite work, but it gave me the idea for a rough solution: by using mvappend to join together all of the email domains I want to inspect against, followed immediately by an mvexpand to generate separate line items per event per domain, I can run the ut_levenshtein macro against everything.

| eval inspect_domains=mvappend("yahoo.com", "google.com", "outlook.com")
| mvexpand inspect_domains
| `ut_levenshtein(sender_domain, inspect_domains)`

Not very elegant and may not scale, but it works well enough for now. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...