Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass multiple fields in Case or IF commands

devsru
Explorer
‎09-04-2024 06:45 PM

Hi Everyone,

I have some events with the field Private_MBytes and host = vmt/vmu/vmd/vmp

I want to create a case when host is either vmt/vmu/vmd and Private_MBytes  > 20000 OR when host is vmp and  Private_MBytes > 40000 then it should display the events with severity_id 4. Example

eval severity_id=if(Private_MBytes >= "20000" AND host IN [vmd*,vmt*,vmu*],4,2)

eval severity_id=if(Private_MBytes >= "40000" AND host ==vmp*,4,2)

 

Note :  if Private_MBytes > 40000, and then if there is any vmd/vmu/vmt it should display severity_id 4 only and for vmp also.

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2024 08:38 PM

If I must guess, the use of wildcard characters make your search not returning your desired results? (Syntax-wise, I am not sure if IN operator can use square brackets.)  As you only illustrated two values, no need to use case.

| eval severity_id=if(Private_MBytes >= 20000 AND searchmatch("host IN (vmd*,vmt*,vmu*)") OR Private_MBytes >= 40000 AND host LIKE "vmp%", 4, 2)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-04-2024 11:43 PM

Hi @devsru ,

you have to correlate your conditions using the boolean operators AND and OR and the parenthesys, aligned with the logic you need:

| eval severity_id=if((Private_MBytes>=20000 AND host IN ("vmd*","vmt*","vmu*")) OR (Private_MBytes>=40000 AND host="vmp*"), 4, 2)

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2024 08:38 PM

If I must guess, the use of wildcard characters make your search not returning your desired results? (Syntax-wise, I am not sure if IN operator can use square brackets.)  As you only illustrated two values, no need to use case.

| eval severity_id=if(Private_MBytes >= 20000 AND searchmatch("host IN (vmd*,vmt*,vmu*)") OR Private_MBytes >= 40000 AND host LIKE "vmp%", 4, 2)

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-24-2024 05:09 AM

Hi @devsru ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...