Help with Eval

a212830 · ‎06-14-2019

Hi,

I'm trying to do an eval, but it's not working, and could use another set of eyes.

I extract my data in the props.conf on the SH:

EXTRACT-action  = \<ACTION\>(?<actionTESTA>[^\<]+)\<\/ACTION\>

That part works - it returns values of Discard, Refuse or Allow.

I then have an eval function in my props. right under the extract statement.

EVAL-action=case(actionTESTA="Allow","allowed",actionTESTA="Permit","allowed",actionTESTA="Discard","teardown",actionTESTA="Refuse","blocked",eventTESTA="Connection closed","teardown",eventTESTA="Incomplete connection closed","teardown")

I would expect the eval statement to change values, but it's not.

Anyone?

jnudell_2 · ‎06-14-2019

Try:

EVAL-action = case( match(actionTESTA, "Allow|Permit"), "allowed", actionTESTA=="Discard", "teardown", actionTESTA=="Refuse", "blocked", match(eventTESTA, "Connection closed|Incomplete connection closed"), "teardown")

sloshburch · ‎07-16-2019

As @jnudell_2 is pointing out is that the operators of where and eval isn't like search. See Eval Operators for specifics.

Help with Eval

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?

Help with Eval

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap