- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Establishing a direction for a connection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Establishing a direction for a connection
I have a table output that has a Source Address and a Destination Address. I would like to add a column to the table titled Direction and populate the column for each event based on the Source Address. If the Source Address is one of our internal IPs the Direction would be Outbound. If the Source Address was an external IP then the Direction would be Inbound. We have splunk 5.0.2.
When I use:
| eval Direction= if(SourceAddress==”10.*”,”Outbound”,”Inbound”) or
| eval Direction =case(SourceAddress==”10.*”,”Outbound”,”Inbound”)
I get the error message "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”10.*”,”Outbound”,”Inbound”)'."
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first eval should work syntactically at least, though it will probably not work the way you want. What you're doing there is tell Splunk to compare the SourceAddress value to the literal string "10.*" which I expect you will never have as a value. If you want to do wildcarding, you will need to use the match() function instead. match uses regex, so it would be something like this:
| eval Direction=if(match(SourceAddress,"^10\."),"Outbound","Inbound")
Or for that matter, because this is an IP address you could make use of cidrmatch:
| eval Direction=if(cidrmatch("10.0.0.0/24",SourceAddress),"Outbound","Inbound")
As for your second eval, this is where you're getting the error - you're supplying an odd amount of arguments to case. case expects pairs consisting of a boolean test and a result in case this test is true. If you want to end your case statement with a "default" kind of value, you can't just put it there on its own, you need to include a test that will always yield true. 1=1 for instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Please mark my answer as accepted if it solved your problem. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! The change works and your explanation helped. I appreciate it.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
