I have a scenario where I am analyzing the format of a given string to determine what the name of the format is (e.g. UPN, Samaccount, etc) From there, I am trying to do a conditional enrichment via lookup to determine more information about the user in question. The trouble is I have 4 "potential" systems of record the account could come from, and different authoritative key/value pairs to uniquely identify the user. The good news is there is at least one value in each of these systems of record that is the same thing, so I need to normalize that down. My method of attacking this: user=jimbob@joe.com AccountType=(formula to determine "samact", "upn", or "other) I have to use lookup because inputlookup does not appear to have any idea what $variables$ are in an eval statement. SOR1_upn=if(AccountType = "upn", [makeresults count=1 |eval user=$user$ | lookup SOR1.csv userPrincipleName AS user | fields givenName |head 1|return $givenName], "") I would have expected this to work using normal subsearch logic, so I dont know if its a problem using it with eval or if there is some additional escape character I should be providing. Another method I thought of for attacking this is just to create unique values for every possible outcome I want by from the different SOR's with unique names, and then coalesce them all together but this seems like there should be a more elegant way to do this in splunk. In summary, Identify the type of account it is, check 4 different sors for the presence of that account, return a fixed set of values that should ideally all represent the same individual if they do exist in more than one place from each one, and then coalesce them together
... View more