Splunk Search

Help using eval case statement using wildcards

johnward4
Communicator

I'm trying to create a new field for category based off values in my existing 'message' field.

index=network sourcetype=test
| eval category = case (like(message,"*port scan detected*"), "Network_Port_Scan", like(message,"Gateway Anti-Virus Alert*"), like(message,"*Possible TCP Flood*")), "Network_Threat_Activity", like(message,"*packet dropped*" like(message,"*connection dropped*" like(message,"*protocol dropped*"))), "Network_Wire_Activity")

Does anyone know how I accomplish this?

0 Karma
1 Solution

woodcock
Esteemed Legend

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

View solution in original post

woodcock
Esteemed Legend

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

View solution in original post

johnward4
Communicator

@woodcock can I using OR operators inside a given like() statement?

example :

| eval category = case (like(message,"%port scan detected%"), "Network_Port_Scan", like(message,"%Gateway Anti-Virus Alert%" OR "%TCP Flood%"), "Network_Threat_Activity")

0 Karma

woodcock
Esteemed Legend

No but you can like() OR like() and you can use SQL boolean syntax or use match(message, "foo|bar|bat").

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!