This is a piece of a search that I have been working on:
eventtype=knoob (file_name=authorize.conf)
| eval zip1 = mvzip (key, value, ";") | mvexpand zip1| makemv zip1 delim=";" | eval skey=mvindex(zip1,1) | eval svalue=mvindex(zip1,0)
| dedup skey, svalue | sort skey, svalue | table skey, svalue, stanza, SplunkRole, file_name
| where ( like (svalue, "import%") AND like (stanza, "role%") )
| rename skey AS SplunkRole, stanza AS Role
| eval Role=case(isnull(Role),"NONE",NOT isnull(Role),Role)
| eval file_name=case(isnull(file_name),"authorize.conf", NOT isnull(file_name), "authorize.conf")
| eval SplunkRole=case(isnull(SplunkRole),"NONE",NOT isnull(SplunkRole),SplunkRole)
| table Group, Role, Index, SplunkRole
| appendcols [ search eventtype=knoob (file_name=authorize.conf)
| eval zip1 = mvzip (key, value, ";") | mvexpand zip1 | makemv zip1 delim=";" | eval skey=mvindex(zip1,1) | eval svalue=mvindex(zip1,0)
| dedup skey, svalue | sort skey, svalue | table skey, svalue, stanza, file_name
| where like (stanza, "APP%")
| rename stanza as Group, skey as Index
| eval Group=case(isnull(Group),"NONE",NOT isnull(Group),Group)
| eval file_name=case(isnull(file_name),"authorize.conf", NOT isnull(file_name), "authorize.conf")
| eval Index=case(isnull(Index),"NONE",NOT isnull(Index),Index)
| table Group, Role, Index, SplunkRole ]
... there are 4 more appendcols searches attached to this search to address "authenticate.conf" information.
I’m currently successfully extracting the following information from the authenticate.conf and authorize.conf tables (into a report) by: Group, Role, Index, SplunkRole
What is missing is the associated user information: I can obtain this information using:
|rest /services/authentication/users splunk_server=local
| fields title, roles, realname
| rename title as Username
| rename realname as Name roles AS Roles | sort Roles Username | table Roles Name Username
From this search, you will see data like:
Roles Name Username
admin Jones, Barnaby bjones
admin Smith, Carol csmith
eso-ro
eso-rw
I would like to be able to flatten the “Roles” column;
For example, if I have a column with multiple roles separated by “;”, I can use the split command:
Say that I have a field called “key” that contains the values: role1; role2; role3; role4
I know that I can separate it out:
| eval temp=split(key,";") | eval srole1=mvindex(temp,0) | eval srole2=mvindex(temp,1) | eval srole3=mvindex(temp,2) | eval srole4=mvindex(temp,3)
How do I recognize the method to split this data: Is there a way to covert the “newline” or “carriage return linefeed” that appears to be occurring within the “roles” column when multi-values exist to a delimiter? So that I could continue to perform the in-line search process to append the results to my existing search?
I know that I can export the above REST query to an EXCEL spreadsheet (.CSV); however I cannot get the results flattened to be able to join with the results of my existing search. I wanted to be able to avoid having to manually create my lookup table, when multiple occurrences exist.
Is there really no way to deal with the “nulls”, “new lines” or “carriage return line feeds” within the Search context; when using a “rest | data…” retrieval?
... View more