I have a unique query that I think I have a general logical approach to solving, but the syntax and most efficient route is TBD>> Case to solve is this: Users are assigned positions in an application, each position is unique. Positions are assigned security groups that are mapped to roles. We are versioning this mapping into splunk for two reasons. 1 to be able to rewind and show who was in what groups so that we can do whatif scenarios 9 months back without trying to figure out what has changed etc. and 2. We want to analyze overlap in positions to roles to help simplify where necessary. The latter is the basis of my question. I have a table created off a makemv/mvexpand that creates a cube of data that has Position, GroupName There are say 99 unique positions and 70 unique security groups. Expanded I have just north of 1200 permutations of them Position1, SecGroup1 Position1, SecGroup2 Position2, SecGroup2 Position2, Secgroup5 Position3, SecGroup1 Position4, SecGroup2 Etc What I need to do is create stats on the relationship of overlap where positions are in similar groups> I know for instance that in my current data set that ALL positions are in SecGroup1 and 68/99 are in SecGroup2 This is easily calculated for one group, but how do I extend this out at scale for all group? I am thinking of creating a deduplicated list of security groups, and creating a full list of all combinations of (SecGroup1 AND SecGroup2) OR (SecGroup1 AND SecGroup3) until that goes in reverse and deduplicating that list and using that list as a subsearch to my raw data and then running stats on it that I would think in theory would show where two PD's overlap because of the same two groups? Is there a more succinct way of doing this? Can one create this list with | foreach to a foreach to create this list? How in splunk can one calculate a list of permutations and force an AND between them as a part of a subquery?
... View more