I have a field in some of our events called "action". I have blacklisted IPs that we've seen a number of attacks from. I have created a search that builds a transaction of all of the events from an attack and extracts all of the "action" fields and placed them in a field called "attack".
It might look something like:
Login
CreateContent
LoadContent
Launch
I want to be able to do a lookup that will match all of the lines in that attack field in the order that they appear. But I'm getting a successful match in the lookup table for something like:
Login
ViewContent
CreateContent
UpdateContent
LoadContent
Launch
How can I make Splunk only match when the entire contents and the order of those contents match that of the lookup table?
Thanks.
Craig
I found that I could use | eval pattern=mvjoin(attack,".") to create a period delimited string and then do the comparison that way. If there is a more elegant way to do this, I'd love to know.
I found that I could use | eval pattern=mvjoin(attack,".") to create a period delimited string and then do the comparison that way. If there is a more elegant way to do this, I'd love to know.