How to set a flag in splunk using lookup
Question
I am trying to achieve below logic trying to set a flag called < adminuser > the current user ID is present in the lookup (in the lookup 4 ID is there AAP1 APP2 AAP3) if adminuser is False, then filter where Requestor in the event is else do not filter Only the 4 ids can see the user details. and rest can see only there request.
My XMl code is
index=* sourcetype="testapp" |eval split=split(Requestor, "@"), Requestor=mvindex(split, 0) | eval "Requested Date" = strftime(_time,"%Y-%m-%d %H:%M:%S") | Get current user ID = (| rest /services/authentication/current-context splunk_server=local | rename username as Requestor |eval split=split(Requestor, "@"), Requestor=mvindex(split, 0)) | want to use flag if current user ID is present in lookup | if adminuser is False, then filter where Requestor in event is else do not filter |table "Requested Date" "ID" "Requestor" "MD" "SM" "SL" Status
1 answers
solution1
0 2020-06-18 23:35:50
The following code can be used to set a flag
| eval adminuser=[
| rest /services/authentication/current-context splunk_server=local
| join type=inner username [ | inputlookup adminusers ]
| stats count
| eval search=if(count>0,"1","0")
]
This assumes your lookup contains a single column, called username .
Post some event samples if you need further clarification
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.