Hi All,
Need help to get the values from multi field value. We have a field name "properties.targetResources{}.displayName" which has the multiple field value. Now when we have the field "operationName"="Add member to role completed (PIM activation) then we need to have the new field let's say "dest" field should pick 3rd value from field "properties.targetResources{}.displayName" . And when operationName = Add member to role request denied (PIM activation) then "dest" field should pick value 4th from field "properties.targetResources{}.displayName" .
Splunk search for single field mvindex is working fine
sourcetype="amdl:aadal:audit" operationName="Add member to role completed (PIM activation)" | eval dest = case(operationName=="Add member to role completed (PIM activation)", mvindex('properties.targetResources{}.displayName',3)) | table dest
Splunk search for mutiple field value is not working fine
sourcetype="amdl:aadal:audit" operationName=* | eval dest = if(case(operationName=="Add member to role completed (PIM activation)", mvindex('properties.targetResources{}.displayName',3)), case(operationName = Add member to role request denied (PIM activation)
, mvindex('properties.targetResources{}.displayName',4)) | table dest
In this case eval is written wrong , need to fix this .
Thanks in advance
↧