Solved: How to achieve eval case match?

maxouhunterfc · ‎01-17-2023

event is json:

{message:AZK} x 10

{message:BCK} x 5

{message:C} x 3

What Im trying to get is a table to count message by values with a modified text

Message AZK - 10

Message BCK - 5

C - 3

I use this:

| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre

I can't not get the "C" in the list to be counted

the message from the JSON event is not interpreted (i don't know)

Thanks for your help

kamlesh_vaghela · ‎01-17-2023

@maxouhunterfc

I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.

Can you please try this?

 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

My Sample Search :

| makeresults 
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|") 
| mvexpand raw 
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

Screenshot 2023-01-17 at 11.54.47 PM.png

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

maxouhunterfc · ‎01-17-2023

I needed to use indeed a rex

kamlesh_vaghela · ‎01-17-2023

@maxouhunterfc

I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.

Can you please try this?

 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

My Sample Search :

| makeresults 
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|") 
| mvexpand raw 
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

Screenshot 2023-01-17 at 11.54.47 PM.png

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How to achieve eval case match?

splunk-assist

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

How to achieve eval case match?

splunk-assist

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)