Solved: Re: Lookup table matching on multivalued fields

responsys_cm · ‎06-29-2012

I have a field in some of our events called "action". I have blacklisted IPs that we've seen a number of attacks from. I have created a search that builds a transaction of all of the events from an attack and extracts all of the "action" fields and placed them in a field called "attack".

It might look something like:

Login
CreateContent
LoadContent
Launch

I want to be able to do a lookup that will match all of the lines in that attack field in the order that they appear. But I'm getting a successful match in the lookup table for something like:

Login
ViewContent
CreateContent
UpdateContent
LoadContent
Launch

How can I make Splunk only match when the entire contents and the order of those contents match that of the lookup table?

Thanks.

Craig

responsys_cm · ‎06-29-2012

I found that I could use | eval pattern=mvjoin(attack,".") to create a period delimited string and then do the comparison that way. If there is a more elegant way to do this, I'd love to know.

View solution in original post

responsys_cm · ‎06-29-2012

I found that I could use | eval pattern=mvjoin(attack,".") to create a period delimited string and then do the comparison that way. If there is a more elegant way to do this, I'd love to know.

Lookup table matching on multivalued fields

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability