Archive
Highlighted

Combine two searches using Eval with Case statement.

New Member

Combine two searches using Eval with Case statement.

Tags (1)
0 Karma
Highlighted

Re: Combine two searches using Eval with Case statement.

Legend
sourcetype=Firewall action=allowed (port=21 OR port=22 OR port=20) 
       (dst!=10.0.0.0/8 dst!=192.168.0.0/16 ) OR (src!=10.0.0.0/8 src!=192.168.0.0/16)
| iplocation dst
| search Country!="United States"
| stats Count by Country src dst port action

This is a start - but the real problem is: how do you determine the direction? Without that information, the whole search doesn't really make sense to me.

0 Karma
Highlighted

Re: Combine two searches using Eval with Case statement.

SplunkTrust
SplunkTrust

Give this a try

sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
| eval Direction=case(dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16","OUTBOUND",src!="10.0.0.0/8" AND src!="192.168.0.0/16","INBOUND",1=1,"Other") | where Direction!="Other" | iplocation dst | rename Country as Country_dst | iplocation src | where Country!="United States" OR Country_dst!="United States" | stats Count byCountry src dst port action Direction
0 Karma
Highlighted

Re: Combine two searches using Eval with Case statement.

Motivator

Hi
Try this

 sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
 | eval Direction=case((dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16"),"OUTBOUND",(src!="10.0.0.0/8" AND src!="192.168.0.0/16"),"INBOUND")| iplocation dst | where Country!="United States" | stats Count by Country src dst port action Direction
0 Karma