Splunk Search

How to create an eval and use of like?

jwalzerpitt
Influencer
I am trying to an eval with like to assign priority to certain IPs/hosts and running into an issue where the priority is not being assigned. I am using network data to create my ES asset list and I have a lookup that does IP to cidr range and then returns the zone the IP is associated with. Later in my search I rename zone to bunit and right after that I am testing the eval as follows:
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
As I am testing the search at the end of my search I have:
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*
I get a list of all foo related bunit events, but the priority field is set to "TBD"
 
Would appreciate any help - thx
Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Are you sure that bunit is not a multi value field?

jwalzerpitt
Influencer

My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:

 

index=arp sourcetype=foo_arp NOT mac IN (incomplete) 
| lookup securitygroupmembers_lookup cidr_range as ip 
| lookup dnslookup clientip as ip OUTPUT clienthost as dns 
| fillnull value=NULL 
| search zone!="" 
| eval zone=coalesce(zone,"null")
| rename zone AS bunit 
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
| eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface)
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

 

For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have?

Thx

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

jwalzerpitt
Influencer

One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical:

| eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")

 

Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26...) to use?

0 Karma

jwalzerpitt
Influencer

That worked after making a slight change so TYVM!

At first when I used the following, the priority field was still coming back as TBD

| eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD")

However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD")

Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")

 Thx again!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As mvfind use regex to match, you could use what it offer. Easy place to test those is regex101.com.

 

jwalzerpitt
Influencer

Thx again

0 Karma

jwalzerpitt
Influencer

bunit just has one value per IP

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...