Solved: Re: Having issue with eval and use of like

jwalzerpitt · ‎09-16-2022

I am trying to an eval with like to assign priority to certain IPs/hosts and running into an issue where the priority is not being assigned. I am using network data to create my ES asset list and I have a lookup that does IP to cidr range and then returns the zone the IP is associated with. Later in my search I rename zone to bunit and right after that I am testing the eval as follows:

| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")

As I am testing the search at the end of my search I have:

| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

I get a list of all foo related bunit events, but the priority field is set to "TBD"

Would appreciate any help - thx

isoutamo · ‎09-16-2022

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

View solution in original post

isoutamo · ‎09-16-2022

Are you sure that bunit is not a multi value field?

jwalzerpitt · ‎09-16-2022

My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:

index=arp sourcetype=foo_arp NOT mac IN (incomplete) 
| lookup securitygroupmembers_lookup cidr_range as ip 
| lookup dnslookup clientip as ip OUTPUT clienthost as dns 
| fillnull value=NULL 
| search zone!="" 
| eval zone=coalesce(zone,"null")
| rename zone AS bunit 
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
| eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface)
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have?

Thx

isoutamo · ‎09-16-2022

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

jwalzerpitt · ‎09-16-2022

One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical:

| eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")

Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26...) to use?

jwalzerpitt · ‎09-16-2022

That worked after making a slight change so TYVM!

At first when I used the following, the priority field was still coming back as TBD

| eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD")

However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD")

Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")

Thx again!

isoutamo · ‎09-16-2022

As mvfind use regex to match, you could use what it offer. Easy place to test those is regex101.com.

jwalzerpitt · ‎09-16-2022

Thx again

jwalzerpitt · ‎09-16-2022

bunit just has one value per IP

How to create an eval and use of like?

eval

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation