Unable to find the query functionalities for the below requirements.
Sample KVP format log below -
--------------------------------------------------------------------------------------------------------------------
userId="Walter, robertwest" OnSrc="administrator, robertwest.sfo-winsrv-rc18, james, administrator, testuser987, svcfimadma_00y, steve, tyronedavis, robertwest, edwardpietsch" identityType="domain, domain, domain, domain, domain, domain, domain, domain, domain, domain" isCompromised="false, false, false, false, false, false, false, false, false, false" isIdentityPrivileged="true, false, false, false, false, false, false, false, true, false"
--------------------------------------------------------------------------------------------------------------------
all userId, OnSrc, identityType, isCompromised, isIdentityPrivileged fields have stringified list as values.
Requirement -
step 1 - I want extract each value from userId field
step 2 - check wether extracted userId values present in OnSrc stringified list or not.
step 3 - If any userId is present in OnSrc field then what is the index of that presence value.
step 4 - then extract values from isIdentityPrivileged, isCompromised, identityType using the index value which was figured out in step 3
Expected output should be table -
UserId isIdentityPrivileged isCompromised identityType
robertwest. true false domain
Note - Walter got skipped in the table because this userId is not present in the OnSrc field.
In splunk we were able achieve the same using mvfind(), mvindex() operators.
Please sign in to leave a comment.
Comments
0 comments