Splunk Search

Help using eval case statement using wildcards

johnward4
Communicator

I'm trying to create a new field for category based off values in my existing 'message' field.

index=network sourcetype=test
| eval category = case (like(message,"*port scan detected*"), "Network_Port_Scan", like(message,"Gateway Anti-Virus Alert*"), like(message,"*Possible TCP Flood*")), "Network_Threat_Activity", like(message,"*packet dropped*" like(message,"*connection dropped*" like(message,"*protocol dropped*"))), "Network_Wire_Activity")

Does anyone know how I accomplish this?

0 Karma
1 Solution

woodcock
Esteemed Legend

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

View solution in original post

woodcock
Esteemed Legend

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

johnward4
Communicator

@woodcock can I using OR operators inside a given like() statement?

example :

| eval category = case (like(message,"%port scan detected%"), "Network_Port_Scan", like(message,"%Gateway Anti-Virus Alert%" OR "%TCP Flood%"), "Network_Threat_Activity")

0 Karma

woodcock
Esteemed Legend

No but you can like() OR like() and you can use SQL boolean syntax or use match(message, "foo|bar|bat").

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...