topic Re: Working with boolean operations like an arithmetic operation. in Splunk Search

Working with boolean operations like an arithmetic operation.

jrballesteros05 — Mon, 19 Mar 2018 09:40:49 GMT

Hello Everyone, I've just done a Splunk query that it required a lot of conditionals and I just wanted to use boolean algebra to solve it but when I wanted to apply in Splunk I had many problems.

For example I have the value A and the value B, all of those values are booleans and the operation I want to do is F=A AND −B (Negated B value).

So if A=0 and B=0, the operation will be:

F = 0 AND 1 
F= 0

If A=1 AND B=0 then:

F = 1 AND 1
F= 1

I will have 4 combinations and I only want results where F=0, at the moment I can solve it with this query in Splunk:

| eval A = 1
| eval B = 1
| eval NOTB = if(B=0,1,0)
| eval F =  if( A = 1 AND NOTB=0,1,0)
| where F = 0

This is OK for now because I only have 4 combinations of values but I will have much more combinations in the future and I'd rather use something like this if I could:

| eval A = 1
| eval B = 1
| eval NOTB = if(B=0,1,0)
| eval F = A AND NOTB
| where F = 0

The error I get when I tried to do that is:

Error in 'eval' command: Typechecking failed. 'AND' only takes boolean arguments.

Any help will be appreciate.

Best regards.

Re: Working with boolean operations like an arithmetic operation.

bangalorep — Tue, 20 Mar 2018 08:24:28 GMT

Hello! Can you please provide sample data?
Also, what inputs are A and B, that you'll be getting more than 4 combinations?

Re: Working with boolean operations like an arithmetic operation.

jrballesteros05 — Tue, 20 Mar 2018 10:33:03 GMT

Hi @bangalorep. This is the macro query I did. A AND B will be a result from other conditions, but it always be a boolean value, in my case I use 0 AND 1 but it can be TRUE OR FALSE. This is the complete query I used.

inputlookup cve-vul-alienvault-lookup-usa
| eval CurrentCycle="20180201"
| eval cycle_detection_time=strptime(CurrentCycle,"%Y%m%d")
| eval Cycle1monthago = strftime(relative_time(cycle_detection_time,"@month-1month"),"%Y%m%d")
| where cycle_detection = CurrentCycle OR cycle_detection=Cycle1monthago
| eval A = if(Auth = "AuthOK" AND cycle_detection=Cycle1monthago,1,0)
| eval B = if((Auth = "AuthOK" OR Auth="NULL") AND cycle_detection=CurrentCycle,1,0)
| eventstats sum(A) as A , sum(B) as B, count by id,dest_ip
| eval F = if(A=1 AND B=0,1,0)
| where F=0
| eval IsResolved = case ((count = 2 AND cycle_detection=CurrentCycle),"Not Resolved",(count=1 AND cycle_detection=Cycle1monthago),"Resolved", count=1 AND cycle_detection=CurrentCycle,"New Vulnerability")
| fields id,dest_ip,cycle_detection,os,signature,type,cvss,cve,Resultados,IsResolved

The problem is now solved with they query I have because I only have 4 combinations of values between A AND B.

A = 0 AND B = 0
A = 0 AND B = 1
A = 1 AND B = 0
A = 1 AND B = 1

I want the result of all combinations except when A = 1 AND B = 0 so I decided to call the result as F, F will be 1 if I want to ignore the result and 0 if I want to keep it so I will have something like this:

A = 0 AND B = 0 so F = 0
A = 0 AND B = 1 so F = 0
A = 1 AND B = 0 so F = 1
A = 1 AND B = 1 so F = 0

The mathematical functions which represents what I wanted is: F = (A AND BNEGATED) this is the same logic we use in electronic circuits. So if I receive these values in the results:

A = 1 AND B = 1

Then BNEGATED = 0 so F = (1 AND 0 ) then F = 0

if I received these values

A = 1 AND B = 0

Then BNEGATED = 1 so F = (1 AND 1) then F = 1

There are two ways (Maybe more but I don't know and I'll be able to receive any recommendation) I can solve this problem, the fist one is like the previous query:

| eval F = if(A=1 AND B=0,1,0)
| where F=0

That logic is OK because I only have two variables to compare and I only have 4 combinations available but I really want to use the boolean function like logic circuits in electronic components.

| eval NEGATEDB = if(B=0,1,0)
| eval F = A AND NEGATEDB
| where F=0

Why I want to work this way? Because in this case I only have 2 variables (A and B) and only 4 combinations but in the future I'm planning to have 4 variables (maybe more) and then I will have 16 combinations of values so I don't want to use a case, I think a function is the best way (I might be wrong). For example in the case with 3 variables I have this function:

F = B AND C AND ( A OR ANEGATED)

so when A = 1, B = 0, C= 1 I will have:

F = 0 AND 1 AND (1 OR 0) = 0 AND 1 AND 1 = 0 . This is going to be OK

if A = 1, B = 1, C =0 I will have:

F = 1 AND 1 AND (1 OR 0) = 1 AND 1 AND 1 = 1. Splunk will filter this value because I want results when F=0

In short words I want to work with Boolean values like arithmetic values:

eval V = X/t 
where V >= 100

At the moment I don't know how to or if it's possible.

I hope I did not confused anyone hehehe and I also did not focus in A and B values, the A and B values will always be 0 or 1. Those values come from other conditionals but will be 1 or 0.

Re: Working with boolean operations like an arithmetic operation.

bangalorep — Tue, 20 Mar 2018 10:59:08 GMT

So, what i understand is, you are going to have 4 variables (A,B,C and D) and you wantthe results for F=0 where F = A AND B AND C AND D.

could you maybe run a search like this?

| where (A=1 OR B=1 OR C=1 OR D=1)

instead of searching for F=0

| makeresults 
| eval A = 1 
| eval B = 0 
| eval C= 0 
| eval D=1 
| eval F=if(A==0 OR B==0 OR C==0 OR D==0,0,1)

Re: Working with boolean operations like an arithmetic operation.

FrankVl — Tue, 20 Mar 2018 11:29:28 GMT

If you represent your boolean values as 1 and 0, you could also apply normal arithmetic operators, to calculate the result, right?

Especially with an AND that is easy, as it can be implemented with multiplication and the negation can be implemented as abs(B-1):

| eval A = 1 
| eval B = 0
| eval F = A * abs(B-1)

Re: Working with boolean operations like an arithmetic operation.

jrballesteros05 — Tue, 20 Mar 2018 11:41:00 GMT

Hi @bangalorep, thank your for your reply and your time.

What I really want is to use boolean math in Splunk. I represented the function like Splunk did, for example:

A OR B in boolean maths is (A + B) but 1 + 1 is not 2, 1 + 1 in boolean maths is 1
A AND B in boolean maths is (A*B), in this case any value multiply by 0 is always 0.

but if I want to represent the function:

A = 1
B = 1
C = 1
D = 1

F = (A * B) * (C + D) or in Splunk syntax

F = (A AND B) AND (C OR D)

I cannot do it in Splunk. If I do it like arithmetic operators I will have:

F = (1 * 1) * ( 1 + 1) = 2

But I want the boolean math, I only want a result like 0 or 1, nothing else:

F = (1 * 1) * (1 + 1) = 1 or
F = (1 AND 1) AND (1 OR 1) = 1

Yes, I know I can use the where syntax but I want to make boolean operations in Splunk like I do a single arithmetic operation.

Re: Working with boolean operations like an arithmetic operation.

jrballesteros05 — Tue, 20 Mar 2018 11:43:43 GMT

Hello @FrankVI. This is closer for what I want.

The AND is OK, how can implement the OR and the XOR. If I can implement only the OR it will be ok because I can simulate the XOR with AND's and OR's.

Re: Working with boolean operations like an arithmetic operation.

FrankVl — Tue, 20 Mar 2018 12:42:48 GMT

OR would be addition, where you need to translate any result >1 to 1.

For example:

| eval A = 1
| eval B = 0
| eval F = min(1,A+B)

XOR can be done with subtraction:

| eval A = 1
| eval B = 0
| eval F = abs(A-B)

Re: Working with boolean operations like an arithmetic operation.

jrballesteros05 — Wed, 21 Mar 2018 16:39:29 GMT

Hello @FrankVl, this is exactly what I need. Thank you so much for your reply and your time.