topic How to create an eval and use of like? in Splunk Search

How to create an eval and use of like?

jwalzerpitt — Fri, 16 Sep 2022 17:49:10 GMT

I am trying to an eval with like to assign priority to certain IPs/hosts and running into an issue where the priority is not being assigned. I am using network data to create my ES asset list and I have a lookup that does IP to cidr range and then returns the zone the IP is associated with. Later in my search I rename zone to bunit and right after that I am testing the eval as follows:

| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")

As I am testing the search at the end of my search I have:

| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

I get a list of all foo related bunit events, but the priority field is set to "TBD"

Would appreciate any help - thx

Re: Having issue with eval and use of like

isoutamo — Fri, 16 Sep 2022 12:18:37 GMT

Are you sure that bunit is not a multi value field?

Re: Having issue with eval and use of like

jwalzerpitt — Fri, 16 Sep 2022 13:04:54 GMT

bunit just has one value per IP

Re: Having issue with eval and use of like

jwalzerpitt — Fri, 16 Sep 2022 13:20:44 GMT

My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:

index=arp sourcetype=foo_arp NOT mac IN (incomplete) | lookup securitygroupmembers_lookup cidr_range as ip | lookup dnslookup clientip as ip OUTPUT clienthost as dns | fillnull value=NULL | search zone!="" | eval zone=coalesce(zone,"null") | rename zone AS bunit | eval priority=if(like(bunit,"%foo%"), "critical" , "TBD") | eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface) | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface | search bunit=*foo*

For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have?

Thx

Re: Having issue with eval and use of like

isoutamo — Fri, 16 Sep 2022 13:38:05 GMT

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

Re: Having issue with eval and use of like

jwalzerpitt — Fri, 16 Sep 2022 13:49:17 GMT

That worked after making a slight change so TYVM!

At first when I used the following, the priority field was still coming back as TBD

| eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD")

However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD")

Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")

Thx again!

Re: Having issue with eval and use of like

isoutamo — Fri, 16 Sep 2022 13:51:38 GMT

As mvfind use regex to match, you could use what it offer. Easy place to test those is regex101.com.

Re: Having issue with eval and use of like

jwalzerpitt — Fri, 16 Sep 2022 14:03:46 GMT

Thx again

Re: Having issue with eval and use of like

jwalzerpitt — Fri, 16 Sep 2022 14:54:48 GMT

One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical:

| eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")

Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26lt.3Bvalue.26gt.3B.29) to use?