- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface | search bunit=*foo*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Multivalue fields has different behaviour than "normal" single value fields.
Can you try this
eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Are you sure that bunit is not a multi value field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:
index=arp sourcetype=foo_arp NOT mac IN (incomplete)
| lookup securitygroupmembers_lookup cidr_range as ip
| lookup dnslookup clientip as ip OUTPUT clienthost as dns
| fillnull value=NULL
| search zone!=""
| eval zone=coalesce(zone,"null")
| rename zone AS bunit
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
| eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface)
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*
For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Multivalue fields has different behaviour than "normal" single value fields.
Can you try this
eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical:
| eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")
Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26...) to use?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
That worked after making a slight change so TYVM!
At first when I used the following, the priority field was still coming back as TBD
| eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD")
However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical
| eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD")
Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical
| eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")
Thx again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
As mvfind use regex to match, you could use what it offer. Easy place to test those is regex101.com.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
Thx again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/5ac22/5ac221a5cc2eb369510974287ba4c81004ff5bcb" alt="jwalzerpitt jwalzerpitt"
bunit just has one value per IP
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""