Hello Splunkers,
I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.
The Query:
host=*| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%", "INS % AUDIT%"),1,0)| stats sum(AUDIT)
Not combining the conditions get me a working query EX:
host=* | eval AUDIT=if(like(COMMAND,"CHA % AUDIT%"),1,0)|stats sum(AUDIT)
Is there a way I can get the query working?
The solution is in the question.
I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.
host=*
| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%") OR like(COMMAND,"INS % AUDIT%"),1,0)
| stats sum(AUDIT)
The solution is in the question.
I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.
host=*
| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%") OR like(COMMAND,"INS % AUDIT%"),1,0)
| stats sum(AUDIT)
Hi @richgalloway ,
After trying the query, I get and error message stating:
"Error in 'eval' command: The arguments to the 'like' function are invalid."
I've fixed my answer.
Thank you so much,
I've been trying to figure that out for hours. 🙏