Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude specific values from Eval case matches

neerajs_81
Builder
‎08-16-2024 04:23 AM

Hello, 

How can I get my eval case like to match all values  except a  specific value ?

I have below values for a field called rule_name

MMT01_windows_brute_force

MMT02_linux_root_login

MMT03_Aws_guardduty_alert

How to get eval to match everything except anything with AWS in the name ? I need to use wildcard % for the matching part because there r many matches but just exclude AWS ones.

I  found a similar post here where the answer was to user AND! To exclude  But that syntax is no longer supported it seems.

| eval rule_type= case(like(rule_name,"MHE0%"),onprem,cloud)

Expected result: rule_type should end up having 2 values for MMT01 and 02  using a wildcard and MMT03 should be  considered as cloud

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-16-2024 06:12 AM

Your description is not very clear but you can either use if with eval to check if some complex condition is fulfilled like for example:

| eval rule_type=if(like(rule_name,"MHE0%") OR like (rule_name,"%AWS%"),"cloud","prem")

(forget the actual logic, it's the syntax that's important here).

or

use the case() statement to form something of an ACL:

| eval rule_type=case(like(rule_name,"%AWS%"),"cloud",like(rule_name,"MHE0%"),"onprem",1=1,"cloud default")

 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2024 04:48 AM

You could use match and a regex

| eval rule_type=if(match(_raw,"MMT\d+_(?:[^_]+(?<!Aws))_"),"onprem","cloud")
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-16-2024 06:12 AM

Your description is not very clear but you can either use if with eval to check if some complex condition is fulfilled like for example:

| eval rule_type=if(like(rule_name,"MHE0%") OR like (rule_name,"%AWS%"),"cloud","prem")

(forget the actual logic, it's the syntax that's important here).

or

use the case() statement to form something of an ACL:

| eval rule_type=case(like(rule_name,"%AWS%"),"cloud",like(rule_name,"MHE0%"),"onprem",1=1,"cloud default")

 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...