- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multi-value Field Help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi-value Field Help
Hi Guys,
Right now I'm trying to set up a Splunk query to look for a series of Unix commands within either a multi-valued field (with all the commands) or a string that includes the command line. My only problem is that I'm unsure how to do the matching and I was planning on using a lookup table to hold all of the commands that I'm looking for. I've been leaning towards doing a regex implementation, but it just seems sloppy. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi linu1988, I'm not planning on running the Linux, this search is meant to look through collections of Unix logs. My problem is that I'm trying to look at a multivalve field from that search and figure out if any of those values are the input of a lookup table I have. For example, the log could have a field like: cp, mv, rm,and I'm looking to see if rm (or some other commands are in there).. I'm hesitant to do a huge regex, but think it may be my only option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
evenif it's multi valued the field contains the keyword. I haven't tested as i don't have relevant data. Try it out, see if it's not working, use the multikv command to separate the mv fields, make it single valued field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Linu1988, I'm not too versed in sub-searches. How would the loaded csv be compared to a multi-valued field?
For example, if I set the cvs up like this (don't worry about the values, I had a user-defined mapping originally)
CSV: fields are on top
|command|val..|val..|
|su |12321|12312|
|rm |12313|12312|
|mv |32134|12352|
and I'm trying to check if an excel field that has values like below is in there (all one cell, it's multi-valued):
| mv |
| cp |
| ls |
Thanks for the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh i get it, So lookup is the best option/ a csv containing the commands. Just use a subsearch and get the result.
e.g.
Index=blah sourcetype=blah [|inputcsv command.csv]| table _raw
note:make sure any single column should be present to match
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you plan to execute unix command? Are the data indexed? If yes then the source=* will give you all the commands' result. then see how it can be done. Correct me if i am wrong.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
