Solved: Re: EVAL Command Help

Marco · ‎12-04-2020

Hello Splunkers,

I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.

The Query:

host=*| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%", "INS % AUDIT%"),1,0)| stats sum(AUDIT)

Not combining the conditions get me a working query EX:

host=* | eval AUDIT=if(like(COMMAND,"CHA % AUDIT%"),1,0)|stats sum(AUDIT)

Is there a way I can get the query working?

richgalloway · ‎12-04-2020

The solution is in the question.

I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.

host=*
| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%") OR like(COMMAND,"INS % AUDIT%"),1,0)
| stats sum(AUDIT)

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎12-04-2020

The solution is in the question.

I am trying to write is a condition that says if command starts with "CHA" or "INS" add one.

host=*
| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%") OR like(COMMAND,"INS % AUDIT%"),1,0)
| stats sum(AUDIT)

---
If this reply helps you, Karma would be appreciated.

Marco · ‎12-07-2020

After trying the query, I get and error message stating:

"Error in 'eval' command: The arguments to the 'like' function are invalid."

-Marco

richgalloway · ‎12-07-2020

I've fixed my answer.

---
If this reply helps you, Karma would be appreciated.

Marco · ‎12-07-2020

Thank you so much,

I've been trying to figure that out for hours. 🙏

EVAL Command Help