Re: Combine two searches using Eval with Case stat...

abdimustafa12 · ‎03-08-2016

Combine two searches using Eval with Case statement.

chimell · ‎03-09-2016

Hi
Try this

 sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
 | eval Direction=case((dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16"),"OUTBOUND",(src!="10.0.0.0/8" AND src!="192.168.0.0/16"),"INBOUND")| iplocation dst | where Country!="United States" | stats Count by Country src dst port action Direction

somesoni2 · ‎03-08-2016

Give this a try

sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
| eval Direction=case(dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16","OUTBOUND",src!="10.0.0.0/8" AND src!="192.168.0.0/16","INBOUND",1=1,"Other") | where Direction!="Other" | iplocation dst | rename Country as Country_dst | iplocation src | where Country!="United States" OR Country_dst!="United States" | stats Count byCountry src dst port action Direction

lguinn2 · ‎03-08-2016

sourcetype=Firewall action=allowed (port=21 OR port=22 OR port=20) 
       (dst!=10.0.0.0/8 dst!=192.168.0.0/16 ) OR (src!=10.0.0.0/8 src!=192.168.0.0/16)
| iplocation dst
| search Country!="United States"
| stats Count by Country src dst port action

This is a start - but the real problem is: how do you determine the direction? Without that information, the whole search doesn't really make sense to me.

Combine two searches using Eval with Case statement.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!