topic Re: Simple search with eval. Why is no table shown? in Splunk Search

Simple search with eval. Why is no table shown?

alex1895 — Fri, 19 Feb 2016 18:32:50 GMT

Here is the search:

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true")| table cat | where check_cat="true"

I get events back from the search,t but the table is not built up.

Re: Simple search with eval. Why is no table shown?

richgalloway — Fri, 19 Feb 2016 18:59:20 GMT

Does Verbose Mode show events with the 'cat' field having the specified values?

Re: Simple search with eval. Why is no table shown?

alex1895 — Fri, 19 Feb 2016 19:52:06 GMT

Yes, the 'cat' field has specified values. But for some reason the eval filter does not work. The events also show cat field values excluded in the eval filter.

Re: Simple search with eval. Why is no table shown?

somesoni2 — Fri, 19 Feb 2016 20:18:35 GMT

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat

Re: Simple search with eval. Why is no table shown?

alex1895 — Fri, 19 Feb 2016 20:53:04 GMT

Thanks both searches work. I realized that the Boolean expressions are case sensitive thats why my searches also did not work.

Re: Simple search with eval. Why is no table shown?

somesoni2 — Fri, 19 Feb 2016 21:24:53 GMT

Yes, when used in EVAL/WHERE strings are case-sensitive, but if used in base search OR SEARCH command, they are not.

Re: Simple search with eval. Why is no table shown?

wmyersas — Tue, 03 Mar 2020 13:44:44 GMT

Why use case() here instead of if()?

Re: Simple search with eval. Why is no table shown?

to4kawa — Tue, 03 Mar 2020 21:46:00 GMT

there is no else operation.

Re: Simple search with eval. Why is no table shown?

wmyersas — Wed, 04 Mar 2020 15:16:40 GMT

Sure there is: |eval check_cat=if(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true",null())