If the vulnerability column has a certain value then a new column called ‘Software_Affected’ has a corresponding value like below--
Thanks for your help. This is the best forum !!!
Alan
| eval "Software Affected"=case(match(vulnerability,"*Flash*"),"Adobe Flash", match(vulnerability,"*Acrobat*"),"Adobe Acrobat",match(vulnerability,"*7-Zip*"),"7-Zip",match(vulnerability,"*DES*"),"3DES","Unknown")
If you have a large number so that using case isnt efficient, then using a lookup as @diogofgm recommends:
| lookup yourlist vulnerability OUTPUT Software_Affected
from where do you get 3DES in the first sample and how do you add adobe to the last?
You can use a lookup configured to use wildcards
create your lookup like this
"vulnerability","software_affected"
“Flash”,“Adobe Flash”
etc
and then follow the steps in this answer
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html