I'm looking to create a search query to analyze tr...

rcastello · ‎11-30-2018

Hello,

I'm currently using this query to create a table:

index=* sourcetype=* dport=139 OR sport=139
| eval timestamp=strftime(_time, "%B %d, %I:%M:%S %p") 
| table timestamp sourcetype dport sport

However, I'd like to include src_ip and dest_ip, so I tried this but it doesn't pull the same results:

index=* sourcetype=* src_ip=* dest_ip=* dport=139 OR sport=139
| eval timestamp=strftime(_time, "%B %d, %I:%M:%S %p") 
| table timestamp sourcetype src_ip dest_ip dport sport

What am I doing incorrectly and how can I reach my desired results? Thank you for any help provided.

woodcock · ‎11-30-2018

Try this:

index=* sourcetype=* dport=139 OR sport=139
| eval timestamp=strftime(_time, "%B %d, %I:%M:%S %p") 
| eval src=coalesce(src_ip, src, src*, "unknown")
| eval dest=coalesce(dest_ip, dest, dest*, "unknown")
| table timestamp sourcetype src dest dport sport

rcastello · ‎12-03-2018

Hello woodcock,

Thanks for your assistance. When I utilize your recommendation, Splunk throws this error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', "unknown")'.

Is there some data I should be using in place of "unknown" instead? Thanks for your help, @woodcock .

ddrillic · ‎12-03-2018

It does seem that coalesce takes only two parameters...

Sorry, the documentation says

-- This function takes an arbitrary number of arguments and returns the first value that is not NULL.

I'm looking to create a search query to analyze traffic to determine source / destination IP and source / destination port, as well as using timestamp?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!