Help with Logic when a multivalue field appears: H...

Esky73 · ‎05-18-2022

I have some events coming in that use a lookup to resolve to an action eg :

Block,block,not sent = blocked

tagged, delivered, logged = delivered

Occasionally a multivalue field appears such as :

Tagged

Logged

OR

Tagged

Block

the Logic should be :

Tagged Logged = delivered

Tagged Block = Block

Trying to figure out how to add this logic to utilise the lookup.

Played around with nomv which creates a single value field but adds a \n so the value becomes : Tagged\nLogged

But then i need to do do a sedcmd to remove the \n and then add the result to the lookup to resolve the desired action.

Is there a better approach in this scenario ?

thx

gcusello · ‎05-18-2022

Hi @Esky73,

the action you are describing is called normalization and it's usually done to normalize logs to CIM compliance.

At first I hint to see if there's an Add-on that already made normalization for your logs, if there isn't I hint to use calculated fields, e.g. something like this:

| eval action=case(action="Block","blocked",action="block","blocked",action="not sent","blocked",action="tagged","delivered", action="delivered","delivered", action="logged","delivered")

About the multivalue, see if it's possible to extract fields in a different way or use "like" in the above condition.

Ciao.

Giuseppe

Help with Logic when a multivalue field appears: How to utilise lookup?

field extraction

fields

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability