topic Re: Working with boolean operations like an arithmetic operation. in Splunk Search
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363222#M107282
<P>Hi @bangalorep. This is the macro query I did. A AND B will be a result from other conditions, but it always be a boolean value, in my case I use 0 AND 1 but it can be TRUE OR FALSE. This is the complete query I used.</P>
<PRE><CODE>inputlookup cve-vul-alienvault-lookup-usa
| eval CurrentCycle="20180201"
| eval cycle_detection_time=strptime(CurrentCycle,"%Y%m%d")
| eval Cycle1monthago = strftime(relative_time(cycle_detection_time,"@month-1month"),"%Y%m%d")
| where cycle_detection = CurrentCycle OR cycle_detection=Cycle1monthago
| eval A = if(Auth = "AuthOK" AND cycle_detection=Cycle1monthago,1,0)
| eval B = if((Auth = "AuthOK" OR Auth="NULL") AND cycle_detection=CurrentCycle,1,0)
| eventstats sum(A) as A , sum(B) as B, count by id,dest_ip
| eval F = if(A=1 AND B=0,1,0)
| where F=0
| eval IsResolved = case ((count = 2 AND cycle_detection=CurrentCycle),"Not Resolved",(count=1 AND cycle_detection=Cycle1monthago),"Resolved", count=1 AND cycle_detection=CurrentCycle,"New Vulnerability")
| fields id,dest_ip,cycle_detection,os,signature,type,cvss,cve,Resultados,IsResolved
</CODE></PRE>
<P>The problem is now solved with they query I have because I only have 4 combinations of values between A AND B. </P>
<P>A = 0 AND B = 0<BR />
A = 0 AND B = 1<BR />
A = 1 AND B = 0<BR />
A = 1 AND B = 1</P>
<P>I want the result of all combinations except when A = 1 AND B = 0 so I decided to call the result as F, F will be 1 if I want to ignore the result and 0 if I want to keep it so I will have something like this: </P>
<P>A = 0 AND B = 0 so F = 0<BR />
A = 0 AND B = 1 so F = 0<BR />
A = 1 AND B = 0 so F = 1<BR />
A = 1 AND B = 1 so F = 0</P>
<P>The mathematical functions which represents what I wanted is: <STRONG>F = (A AND BNEGATED)</STRONG> this is the same logic we use in electronic circuits. So if I receive these values in the results: </P>
<P>A = 1 AND B = 1</P>
<P>Then BNEGATED = 0 so F = (1 AND 0 ) then F = 0 </P>
<P>if I received these values</P>
<P>A = 1 AND B = 0</P>
<P>Then BNEGATED = 1 so F = (1 AND 1) then F = 1 </P>
<P>There are two ways (Maybe more but I don't know and I'll be able to receive any recommendation) I can solve this problem, the fist one is like the previous query: </P>
<PRE><CODE>| eval F = if(A=1 AND B=0,1,0)
| where F=0
</CODE></PRE>
<P>That logic is OK because I only have two variables to compare and I only have 4 combinations available but I really want to use the boolean function like logic circuits in electronic components. </P>
<PRE><CODE>| eval NEGATEDB = if(B=0,1,0)
| eval F = A AND NEGATEDB
| where F=0
</CODE></PRE>
<P>Why I want to work this way? Because in this case I only have 2 variables (A and B) and only 4 combinations but in the future I'm planning to have 4 variables (maybe more) and then I will have 16 combinations of values so I don't want to use a case, I think a function is the best way (I might be wrong). For example in the case with 3 variables I have this function: </P>
<P>F = B AND C AND ( A OR ANEGATED)</P>
<P>so when A = 1, B = 0, C= 1 I will have: </P>
<P>F = 0 AND 1 AND (1 OR 0) = 0 AND 1 AND 1 = 0 . This is going to be OK</P>
<P>if A = 1, B = 1, C =0 I will have: </P>
<P>F = 1 AND 1 AND (1 OR 0) = 1 AND 1 AND 1 = 1. Splunk will filter this value because I want results when F=0</P>
<P>In short words I want to work with Boolean values like arithmetic values: </P>
<PRE><CODE>eval V = X/t
where V >= 100
</CODE></PRE>
<P>At the moment I don't know how to or if it's possible. </P>
<P><STRONG>I hope I did not confused anyone hehehe</STRONG> and I also did not focus in A and B values, the A and B values will always be 0 or 1. Those values come from other conditionals but will be 1 or 0. </P>Tue, 20 Mar 2018 10:33:03 GMTjrballesteros052018-03-20T10:33:03ZWorking with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363220#M107280
<P>Hello Everyone, I've just done a Splunk query that it required a lot of conditionals and I just wanted to use <A href="https://en.wikipedia.org/wiki/Boolean_algebra">boolean</A> algebra to solve it but when I wanted to apply in Splunk I had many problems.</P>
<P>For example I have the value A and the value B, all of those values are booleans and the operation I want to do is F=A AND −B (Negated B value).</P>
<P>So if A=0 and B=0, the operation will be:</P>
<PRE><CODE>F = 0 AND 1
F= 0
</CODE></PRE>
<P>If A=1 AND B=0 then:</P>
<PRE><CODE>F = 1 AND 1
F= 1
</CODE></PRE>
<P>I will have 4 combinations and I only want results where F=0, at the moment I can solve it with this query in Splunk: </P>
<PRE><CODE>| eval A = 1
| eval B = 1
| eval NOTB = if(B=0,1,0)
| eval F = if( A = 1 AND NOTB=0,1,0)
| where F = 0
</CODE></PRE>
<P>This is OK for now because I only have 4 combinations of values but I will have much more combinations in the future and I'd rather use something like this if I could: </P>
<PRE><CODE>| eval A = 1
| eval B = 1
| eval NOTB = if(B=0,1,0)
| eval F = A AND NOTB
| where F = 0
</CODE></PRE>
<P>The error I get when I tried to do that is: </P>
<BLOCKQUOTE>
<P>Error in 'eval' command: Typechecking failed. 'AND' only takes boolean arguments.</P>
</BLOCKQUOTE>
<P>Any help will be appreciate.</P>
<P>Best regards.</P>Mon, 19 Mar 2018 09:40:49 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363220#M107280jrballesteros052018-03-19T09:40:49ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363221#M107281
<P>Hello! Can you please provide sample data?<BR />
Also, what inputs are A and B, that you'll be getting more than 4 combinations?</P>Tue, 20 Mar 2018 08:24:28 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363221#M107281bangalorep2018-03-20T08:24:28ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363222#M107282
<P>Hi @bangalorep. This is the macro query I did. A AND B will be a result from other conditions, but it always be a boolean value, in my case I use 0 AND 1 but it can be TRUE OR FALSE. This is the complete query I used.</P>
<PRE><CODE>inputlookup cve-vul-alienvault-lookup-usa
| eval CurrentCycle="20180201"
| eval cycle_detection_time=strptime(CurrentCycle,"%Y%m%d")
| eval Cycle1monthago = strftime(relative_time(cycle_detection_time,"@month-1month"),"%Y%m%d")
| where cycle_detection = CurrentCycle OR cycle_detection=Cycle1monthago
| eval A = if(Auth = "AuthOK" AND cycle_detection=Cycle1monthago,1,0)
| eval B = if((Auth = "AuthOK" OR Auth="NULL") AND cycle_detection=CurrentCycle,1,0)
| eventstats sum(A) as A , sum(B) as B, count by id,dest_ip
| eval F = if(A=1 AND B=0,1,0)
| where F=0
| eval IsResolved = case ((count = 2 AND cycle_detection=CurrentCycle),"Not Resolved",(count=1 AND cycle_detection=Cycle1monthago),"Resolved", count=1 AND cycle_detection=CurrentCycle,"New Vulnerability")
| fields id,dest_ip,cycle_detection,os,signature,type,cvss,cve,Resultados,IsResolved
</CODE></PRE>
<P>The problem is now solved with they query I have because I only have 4 combinations of values between A AND B. </P>
<P>A = 0 AND B = 0<BR />
A = 0 AND B = 1<BR />
A = 1 AND B = 0<BR />
A = 1 AND B = 1</P>
<P>I want the result of all combinations except when A = 1 AND B = 0 so I decided to call the result as F, F will be 1 if I want to ignore the result and 0 if I want to keep it so I will have something like this: </P>
<P>A = 0 AND B = 0 so F = 0<BR />
A = 0 AND B = 1 so F = 0<BR />
A = 1 AND B = 0 so F = 1<BR />
A = 1 AND B = 1 so F = 0</P>
<P>The mathematical functions which represents what I wanted is: <STRONG>F = (A AND BNEGATED)</STRONG> this is the same logic we use in electronic circuits. So if I receive these values in the results: </P>
<P>A = 1 AND B = 1</P>
<P>Then BNEGATED = 0 so F = (1 AND 0 ) then F = 0 </P>
<P>if I received these values</P>
<P>A = 1 AND B = 0</P>
<P>Then BNEGATED = 1 so F = (1 AND 1) then F = 1 </P>
<P>There are two ways (Maybe more but I don't know and I'll be able to receive any recommendation) I can solve this problem, the fist one is like the previous query: </P>
<PRE><CODE>| eval F = if(A=1 AND B=0,1,0)
| where F=0
</CODE></PRE>
<P>That logic is OK because I only have two variables to compare and I only have 4 combinations available but I really want to use the boolean function like logic circuits in electronic components. </P>
<PRE><CODE>| eval NEGATEDB = if(B=0,1,0)
| eval F = A AND NEGATEDB
| where F=0
</CODE></PRE>
<P>Why I want to work this way? Because in this case I only have 2 variables (A and B) and only 4 combinations but in the future I'm planning to have 4 variables (maybe more) and then I will have 16 combinations of values so I don't want to use a case, I think a function is the best way (I might be wrong). For example in the case with 3 variables I have this function: </P>
<P>F = B AND C AND ( A OR ANEGATED)</P>
<P>so when A = 1, B = 0, C= 1 I will have: </P>
<P>F = 0 AND 1 AND (1 OR 0) = 0 AND 1 AND 1 = 0 . This is going to be OK</P>
<P>if A = 1, B = 1, C =0 I will have: </P>
<P>F = 1 AND 1 AND (1 OR 0) = 1 AND 1 AND 1 = 1. Splunk will filter this value because I want results when F=0</P>
<P>In short words I want to work with Boolean values like arithmetic values: </P>
<PRE><CODE>eval V = X/t
where V >= 100
</CODE></PRE>
<P>At the moment I don't know how to or if it's possible. </P>
<P><STRONG>I hope I did not confused anyone hehehe</STRONG> and I also did not focus in A and B values, the A and B values will always be 0 or 1. Those values come from other conditionals but will be 1 or 0. </P>Tue, 20 Mar 2018 10:33:03 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363222#M107282jrballesteros052018-03-20T10:33:03ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363223#M107283
<P>So, what i understand is, you are going to have 4 variables (A,B,C and D) and you wantthe results for F=0 where F = A AND B AND C AND D.</P>
<P>could you maybe run a search like this?</P>
<PRE><CODE>| where (A=1 OR B=1 OR C=1 OR D=1)
</CODE></PRE>
<P>instead of searching for <CODE>F=0</CODE></P>
<PRE><CODE>| makeresults
| eval A = 1
| eval B = 0
| eval C= 0
| eval D=1
| eval F=if(A==0 OR B==0 OR C==0 OR D==0,0,1)
</CODE></PRE>Tue, 20 Mar 2018 10:59:08 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363223#M107283bangalorep2018-03-20T10:59:08ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363224#M107284
<P>If you represent your boolean values as 1 and 0, you could also apply normal arithmetic operators, to calculate the result, right?</P>
<P>Especially with an AND that is easy, as it can be implemented with multiplication and the negation can be implemented as <CODE>abs(B-1)</CODE>:</P>
<PRE><CODE>| eval A = 1
| eval B = 0
| eval F = A * abs(B-1)
</CODE></PRE>Tue, 20 Mar 2018 11:29:28 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363224#M107284FrankVl2018-03-20T11:29:28ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363225#M107285
<P>Hi @bangalorep, thank your for your reply and your time. </P>
<P>What I really want is to use <A href="https://plato.stanford.edu/entries/boolalg-math/">boolean math</A> in Splunk. I represented the function like Splunk did, for example: </P>
<P>A OR B in boolean maths is (A + B) but 1 + 1 is not 2, 1 + 1 in boolean maths is 1<BR />
A AND B in boolean maths is (A*B), in this case any value multiply by 0 is always 0. </P>
<P>but if I want to represent the function: </P>
<P>A = 1<BR />
B = 1<BR />
C = 1<BR />
D = 1</P>
<P>F = (A * B) * (C + D) or in Splunk syntax</P>
<P>F = (A AND B) AND (C OR D) </P>
<P>I cannot do it in Splunk. If I do it like arithmetic operators I will have:</P>
<P>F = (1 * 1) * ( 1 + 1) = 2 </P>
<P>But I want the boolean math, I only want a result like 0 or 1, nothing else: </P>
<P>F = (1 * 1) * (1 + 1) = 1 or<BR />
F = (1 AND 1) AND (1 OR 1) = 1</P>
<P>Yes, I know I can use the where syntax but I want to make boolean operations in Splunk like I do a single arithmetic operation.</P>Tue, 20 Mar 2018 11:41:00 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363225#M107285jrballesteros052018-03-20T11:41:00ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363226#M107286
<P>Hello @FrankVI. This is closer for what I want. </P>
<P>The AND is OK, how can implement the OR and the XOR. If I can implement only the OR it will be ok because I can simulate the XOR with AND's and OR's. </P>Tue, 20 Mar 2018 11:43:43 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363226#M107286jrballesteros052018-03-20T11:43:43ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363227#M107287
<P>OR would be addition, where you need to translate any result <CODE>>1</CODE> to <CODE>1</CODE>.</P>
<P>For example:</P>
<PRE><CODE>| eval A = 1
| eval B = 0
| eval F = min(1,A+B)
</CODE></PRE>
<P>XOR can be done with subtraction:</P>
<PRE><CODE>| eval A = 1
| eval B = 0
| eval F = abs(A-B)
</CODE></PRE>Tue, 20 Mar 2018 12:42:48 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363227#M107287FrankVl2018-03-20T12:42:48ZRe: Working with boolean operations like an arithmetic operation.
https://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363228#M107288
<P>Hello @FrankVl, this is exactly what I need. Thank you so much for your reply and your time. </P>Wed, 21 Mar 2018 16:39:29 GMThttps://community.splunk.com/t5/Splunk-Search/Working-with-boolean-operations-like-an-arithmetic-operation/m-p/363228#M107288jrballesteros052018-03-21T16:39:29Z