Other Usage

How to create a boolean logic validation checker for a match?

Coryfindley
Engager

Hello, I am looking to create a Boolean logic validation checker for a match. I am attempting to use makeresults in a sub search  to create a field with a string I am looking for. Then I am using search to attempt to look for the newly created event but it doesn’t seem to be working. 


index= test 

[|makeresults count=1

| eval index=test

| eval command=“ping 8.8.8.8”

| table command]

| search ping AND 8

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not sure what you're trying to achieve.

After your subsearch runs and its results are substituted into the outer search you'll get

index=test command="ping 8.8.8.8" | search ping AND 8

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what this has to do with Boolean logic.

Are you searching for a field called command with the value "ping 8.8.8.8" or are you looking for the string "ping 8.8.8.8" in your events?

0 Karma

Coryfindley
Engager

If ping AND 8 is valid Boolean, it would hit on ping 8.8.8.8. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

"ping AND 8" is a valid Boolean expression and should "hit" on "ping 8.8.8.8"

Do you have examples where this doesn't work?

0 Karma

Coryfindley
Engager

This example is valid. I am looking for a way to use splunk to make a Splunk log using makeresults to return the command of the Boolean is valid. So this is more of a “how do I search a makeresults event” using Boolean 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't understand what you mean by “how do I search a makeresults event” - your search with a Boolean is being applied to the events returned from index=test which have been filtered by command="ping 8.8.8.8"

If you have events which you have created using makeresults, you can search them in the same way. The search command, as with any command, applies to the event pipeline, without knowledge of how the events in the pipeline were created

| makeresults
| fields - _time
| eval _raw="blah blah ping 8.8.8.8 blah blah"
| eval command="ping 8.8.8.8"
| search 
    [| makeresults
    | eval command="ping 8.8.8.8"
    | table command]
| search ping AND 8
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...