- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a new field for category based off values in my existing 'message' field.
index=network sourcetype=test
| eval category = case (like(message,"*port scan detected*"), "Network_Port_Scan", like(message,"Gateway Anti-Virus Alert*"), like(message,"*Possible TCP Flood*")), "Network_Threat_Activity", like(message,"*packet dropped*" like(message,"*connection dropped*" like(message,"*protocol dropped*"))), "Network_Wire_Activity")
Does anyone know how I accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock can I using OR operators inside a given like() statement?
example :
| eval category = case (like(message,"%port scan detected%"), "Network_Port_Scan", like(message,"%Gateway Anti-Virus Alert%" OR "%TCP Flood%"), "Network_Threat_Activity")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No but you can like() OR like() and you can use SQL boolean syntax or use match(message, "foo|bar|bat").
