Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using a search macro inside mvmap, missing )

Cyrus
Engager
‎10-20-2021 04:25 PM

Hi Community - I'm trying to extend the Levenshtein distance query in this tutorial: https://www.splunk.com/en_us/blog/tips-and-tricks/you-can-t-hyde-from-dr-levenshtein-when-you-use-ur....

Specifically, I'm trying to evaluate the Levenshtein distance of an email domain against multiple comparison domains on one line, with the resulting values going into a multivalue field. I tried doing this with mvmap:

| eval lev=mvmap(inspect_domains, `ut_levenshtein(ut_domain, inspect_domains)`)

Where inspect_domains is the multivalue field containing comparative domains, and ut_levenshtein is a search macro in the URL Toolbox app .

This returns an error: "Error in 'eval' command: The expression is malformed. Expected ). "
To my eye, the parentheses appear to be balanced. I nevertheless tried adding or removing parentheses to try to make Splunk happy, but no combination of parentheses seems to work

Any ideas?

Labels (1)
Labels
0 Karma
Reply

ryanoconnor
Builder
‎10-21-2021 07:31 PM

I don't think mvmap is going to work in that context based on the contents of that specific macro. 

Can you give this SPL a shot? It's not one line, but it's close and should still get you where you need to go. Unless there is a specific reason it needs to be a one-liner. 

| makeresults 
| eval ut_domain="mycampany.com" 
| append 
    [| makeresults 
    | eval ut_domain="mycempany.com" ] 
| mvcombine ut_domain
| eval company_domain ="mycompany.com" 
| fields - _time
| mvexpand ut_domain
|`ut_levenshtein(company_domain, ut_domain)`

 

Reply

Cyrus
Engager
‎10-24-2021 12:36 PM

Thank you for taking the time to respond. That didn't quite work, but it gave me the idea for a rough solution: by using mvappend to join together all of the email domains I want to inspect against, followed immediately by an mvexpand to generate separate line items per event per domain, I can run the ut_levenshtein macro against everything.

| eval inspect_domains=mvappend("yahoo.com", "google.com", "outlook.com")
| mvexpand inspect_domains
| `ut_levenshtein(sender_domain, inspect_domains)`

Not very elegant and may not scale, but it works well enough for now. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...