Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with Eval

a212830
Champion
‎06-14-2019 11:44 AM

Hi,

I'm trying to do an eval, but it's not working, and could use another set of eyes.

I extract my data in the props.conf on the SH:

EXTRACT-action  = \<ACTION\>(?<actionTESTA>[^\<]+)\<\/ACTION\>

That part works - it returns values of Discard, Refuse or Allow.

I then have an eval function in my props. right under the extract statement. 

EVAL-action=case(actionTESTA="Allow","allowed",actionTESTA="Permit","allowed",actionTESTA="Discard","teardown",actionTESTA="Refuse","blocked",eventTESTA="Connection closed","teardown",eventTESTA="Incomplete connection closed","teardown")

I would expect the eval statement to change values, but it's not.

Anyone?

0 Karma
Reply

jnudell_2
Builder
‎06-14-2019 12:16 PM

Try: 

EVAL-action = case( match(actionTESTA, "Allow|Permit"), "allowed", actionTESTA=="Discard", "teardown", actionTESTA=="Refuse", "blocked", match(eventTESTA, "Connection closed|Incomplete connection closed"), "teardown")

Reply

sloshburch
Splunk Employee
Splunk Employee
‎07-16-2019 07:40 AM

As @jnudell_2 is pointing out is that the operators of where and eval isn't like search. See Eval Operators for specifics.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...