Hi.

What I am trying to do is the following...

I need what I bring in codes_tech to look for it in columns A,B,C, etc and if it finds something that says "Es aqui"

My query is:

index=notable search_name="Endpoint - KTH*"
|fields technique_mitre
|stats count by technique_mitre
|eval tech_id=technique_mitre
|rex field=tech_id "^(?<codes_tech>[^\.]+)"
|stats count by codes_tech
|makemv delim=", " codes_tech
|mvexpand codes_tech
|fields codes_tech

| inputlookup append=t mitre_lookup
| foreach TA00*
[
| lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name
| eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0)
| eval <<FIELD>>=<<FIELD>>_technique_name . " " . <<FIELD>>
|eval <<FIELD>>=split(replace(<<FIELD>>,"\.",".|"),"|")
]

| eval TA0004 = if(mvfind(codes_tech, TA0004) > -1, TA0001." Es aqui", TA0004)

So, what do you get when you try my suggestion?

With your suggestion I get the following result:

Can I explain my query in parts? Maybe that's how I understand it better

I have two queries if I execute them separately it gives me the following result

Query 1:
index=notable search_name="Endpoint - KTH*"
|fields technique_mitre
|stats count by technique_mitre
|eval tech_id=technique_mitre
|makemv delim=", " tech_id
|mvexpand tech_id
|rex field=tech_id "^(?<codes_tech>[^\.]+)"
|stats count by codes_tech
|table codes_tech

Query 2:

|inputlookup append=t mitre_lookup
|foreach TA00*
[
| lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name
| eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0)

]

What I did was join the two queries and look for each value that codes_tech brings in the columns TA0001, TA0002, TA0003, etc. For that I thought of using an eval, but it doesn't do anything 😞

However, something curious happens or I don't know why the following happens...

If I put the values directly in an eval and then separate it by commas if it looks for the values in the lookup, let me show you...

I really don't know how to approach the issue 😞

I am still not entirely sure what your expected output should look like

Please can you provide a mock up of what you are trying to achieve.

In the meantime, does this give you what you need?

|fields technique_mitre
|stats count by technique_mitre
|eval tech_id=technique_mitre
|rex field=tech_id "^(?<codes_tech>[^\.]+)"
|stats count by codes_tech
|makemv delim=", " codes_tech
|mvexpand codes_tech
|stats count by codes_tech
| lookup mitre_tt_lookup technique_id as codes_tech
| foreach tactic_id tactic_name technique_name
    [| eval <<FIELD>>=mvindex(<<FIELD>>,part)]
| eval {tactic_id}_tactic_name=tactic_name
| eval {tactic_id}_technique_name=technique_name
| fields - tactic_id tactic_name technique_name
| stats values(*) as * by codes_tech

Hi

I need to do a dashboard in dashboard studio. I already configured some rules and if it triggers any I need to paint it on the dashboard, like this...