https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177331#M50994 <P>Thanks! I added a minor tweak by renaming the fields as it was only working on the first event, then reverting back to showing all port states (open/closed/filtered). Great idea of using mvzip to stitch the fields together then using rex. Appreciate your help, thanks!</P> Tue, 12 Aug 2014 16:58:08 GMT darthsplunk 2014-08-12T16:58:08Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177325#M50988 <P>Hi,</P> <P>I'm having problems using mvfilter to filter out NULL strings. This is my search:</P> <P><CODE><BR /> index=nmap* | eval state=mvfilter(match(dest_port_state, "open")) | eval state=mvfilter(state!=NULL) | table dest, dest_port, transport, state, app<BR /> </CODE></P> <P>I've looked at examples that others are using to achieve the same thing and they appear to be the same as the search I am using, however Splunk is returning the following error:</P> <P><CODE><BR /> "Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. "<BR /> </CODE></P> <P>When I enter a string in quotes such as<CODE> state!="test" </CODE>or values such as <CODE>state!=123</CODE> I get no error... Splunk isn't recognising <CODE>NULL</CODE></P> <P>Any thoughts?</P> <P>Thanks.</P> <P>** Update **</P> <P>So it seems that my approach is wrong, as taking out the NULL eval shows the open port as port 7, however looking at the RAW event, the open port is in fact 23 (telnet). </P> <P>I have the following event:</P> <P><CODE><BR /> Nmap scan report for 10.10.10.10<BR /> Host is up (0.0024s latency).<BR /> Scanned at 2014-07-10 17:08:07 BST for 42s<BR /> PORT STATE SERVICE<BR /> 7/tcp closed echo<BR /> 9/tcp closed discard<BR /> 13/tcp closed daytime<BR /> 21/tcp closed ftp<BR /> 22/tcp closed ssh<BR /> 23/tcp open telnet<BR /> </CODE></P> <P>After stripping my incorrect eval statements I'm back to:</P> <P><BR /> index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app<BR /> </P> <P>I want to write a search that will output a table showing open ports by host. I'm having problems filtering this correctly though. Any help would be appreciated!</P> <P>Thanks Again.</P> Sun, 10 Aug 2014 23:06:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177325#M50988 darthsplunk 2014-08-10T23:06:51Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177326#M50989 <P>Try using null() instead of NULL.</P> Mon, 11 Aug 2014 14:42:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177326#M50989 somesoni2 2014-08-11T14:42:53Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177327#M50990 <P>Thanks for the response. Doesn't work I'm afriad. Hmm.</P> Mon, 11 Aug 2014 16:23:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177327#M50990 darthsplunk 2014-08-11T16:23:41Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177328#M50991 <P>This syntax works for me.</P> <PRE><CODE>...| eval state=mvfilter(state!="") </CODE></PRE> <P>Have a look at this runanywhere query. (there is one null value in both Name and Age field)</P> <PRE><CODE>|gentimes start=-1 | eval to="A:30 B:40 C: D:45 :50" | table to | makemv to | mvexpand to | rex field=to "(?&lt;Name&gt;.*):(?&lt;age&gt;.*)" | stats list(Name) as Name list(age) as Age | eval cName=mvcount(Name) | eval cAge=mvcount(Age) | eval Name1=mvfilter(Name!="")| eval Age1=mvfilter(Age!="") | eval cName1=mvcount(Name1) | eval cAge1=mvcount(Age1) </CODE></PRE> <P><STRONG>Update</STRONG></P> <P>There are 4 multivalued field and the filter is being applied on only one, hence the output is not correct. Try this</P> <PRE><CODE>index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app | eval temp=mvzip(mvzip(mvzip(dest_port,transport,"#"),dest_port_state,"#"),app,"#") | eval temp=mvfilter(match(temp,"#open#")) | rex field=temp "(?&lt;dest_port&gt;.*)#(?&lt;transport&gt;.*)#(?&lt;dest_port_state&gt;.*)#(?&lt;app&gt;.*)" | fields - temp </CODE></PRE> Mon, 11 Aug 2014 19:20:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177328#M50991 somesoni2 2014-08-11T19:20:25Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177329#M50992 <P>Hi, thanks again for the response.</P> <P>Although this does not return an eval error, it does not produce the desired output. The data returned looks like:<BR /> <CODE><BR /> dest dest_port transport state app<BR /> 10.10.10.10 7 tcp open echo<BR /> 9 tcp discard<BR /> 13 tcp daytime<BR /> 21 tcp ftp<BR /> 22 tcp ssh<BR /> 23 tcp telnet<BR /> </CODE><BR /> The raw log indicates all ports are closed apart from telnet (port 23).</P> Tue, 12 Aug 2014 11:06:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177329#M50992 darthsplunk 2014-08-12T11:06:33Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177330#M50993 <P>Try the updated answer.</P> Tue, 12 Aug 2014 13:10:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177330#M50993 somesoni2 2014-08-12T13:10:35Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177331#M50994 <P>Thanks! I added a minor tweak by renaming the fields as it was only working on the first event, then reverting back to showing all port states (open/closed/filtered). Great idea of using mvzip to stitch the fields together then using rex. Appreciate your help, thanks!</P> Tue, 12 Aug 2014 16:58:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177331#M50994 darthsplunk 2014-08-12T16:58:08Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177332#M50995 <P>The <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions">documentation</A> for <CODE>mvfilter</CODE> seems to be incorrrect. I get the same error message as the original poster:</P> <BLOCKQUOTE> <P>Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.</P> </BLOCKQUOTE> <P>when I use <CODE>mvfilter</CODE> like this:</P> <P><CODE>| eval SessionEndTime = mvfilter (SessionEndTime != NULL)</CODE></P> <P>Using <CODE>null()</CODE> instead of <CODE>NULL</CODE> does not work either; it gives me the error:</P> <BLOCKQUOTE> <P>Error in 'eval' command: Typechecking failed. The '!=' operator received different types.</P> </BLOCKQUOTE> <P>What <EM>does</EM> seem to work is putting <CODE>NULL</CODE> in quotes like this:</P> <P><CODE>| eval SessionEndTime = mvfilter (SessionEndTime != "NULL")</CODE></P> Tue, 07 Apr 2015 15:23:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-output-a-table-showing-open-ports-by/m-p/177332#M50995 helge 2015-04-07T15:23:39Z