Splunk create value on table with base search and eval from lookup
Question
having some issues with my SPL query. The search below is creating a table from AWS cloud trail logs, and is using a lookup file containing AD data. Each row of the table contains login data from AWS like last login and number of logins, Im trying to use the AD lookup to see if the users logging in are still active on this AD file. I do not have an inactive lookup, the only thing I have to go off is that the user will no longer show up on the AD lookup. So that means it will have blanks on the table if the logins do not find a match on the ad lookup. So I want to eval a new status field based off if "identity is null". Iv'e tried base case and if. not getting anything. everything is working find except line 16.
index=aws sourcetype="aws:cloudtrail" eventCategory=Management eventType=AwsConsoleSignin
| stats max(_time) AS last_login count AS logins by userIdentity.arn
| rename userIdentity.arn AS user
| search user="*.com"
| eval temp=split(user,":")
| eval Account_number = mvindex(temp2, 4)
| eval usr =mvindex(temp, 5)
| fields - temp
| eval temp2=split(usr,"/")
| eval role_type=mvindex(temp2,0)
| eval role=mvindex(temp2,1)
| eval user_email=mvindex(temp2,2)
| eval last_login=strftime(last_login,"%c")
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| eval status=case(identity==null, "inactive", identity!=null "active")
| table status, first, last, identity, email, bunit, role, role_type, logins, last_login
Everything is returning correctly in the table except the status field which is being calculated on line 16 of the query. In help or a point in the right direction would be greatly appreciated, Thanks.
2 answers
solution1
1 ACCPTED 2022-11-23 01:12:24
Splunk has the isnull and isnotnull functions for testing if a field is null or not.
index=aws sourcetype="aws:cloudtrail" eventCategory=Management eventType=AwsConsoleSignin
| stats max(_time) AS last_login count AS logins by userIdentity.arn
| rename userIdentity.arn AS user
| search user="*.com"
| eval temp=split(user,":")
| eval Account_number = mvindex(temp2, 4)
| eval usr =mvindex(temp, 5)
| fields - temp
| eval temp2=split(usr,"/")
| eval role_type=mvindex(temp2,0)
| eval role=mvindex(temp2,1)
| eval user_email=mvindex(temp2,2)
| eval last_login=strftime(last_login,"%c")
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| eval status=case(isnull(identity), "inactive", isnotnull(identity), "active")
| table status, first, last, identity, email, bunit, role, role_type, logins, last_login
solution2
0 2022-11-22 15:52:45
lookup will always run, always outputting the fields you tell it to - even if they are null
And therein lies the key:
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| where isnotnull(bunit)
Will skip all of the entries that didn't return a bunit field
If you only want to keep those that don't exist in the lookup table, do it this way:
| where isnull(bunit)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.