Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Like Command with special charecter
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like Command with special charecter
Hi Team,
I am trying to run below query .. now here problem is its not showing any "Blocked" data .. its showing only "Non access Not Blocked " .. is there any syntax error in * OR %? please suggest ..
:::|| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND act= "REQ_BLOCKED*" ,"Blocked",
Like(src,"222.22.222.%") AND act="REQ_BLOCKED*","Blocked",
Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Not Blocked",
Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Not Blocked",
NOT Like(src,"11.11.111.%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"222.22.222..%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Non access Not Blocked",
NOT Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Non access Not Blocked") | stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jotne i have below 2 queries now ..
1.now again getting only Blocked and Not Blocked ..
2.how can we go with" act!="REQ_BLOCKED*","Not Blocked"," does it would be "Notmatch(act,"REQ_BLOCKED*")"
....
| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*")," Blocked",1==1," Not Blocked",Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Blocked",1==1,"Not Blocked",
NOT Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non accessNot Blocked",
NOT Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non access Not Blocked")
| stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use AND in case, you need == not = to make things to work.
You can also use CIDR to match IP range.
Example
| makeresults
| eval src="11.11.111.5", act="REQ_BLOCKED"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND act=="REQ_BLOCKED", "Blocked", 1==1, "other")
This will give "Blocked"
You can not use * in Case so to match part of field.
| makeresults
| eval src="11.11.111.5", act="REQ_BLOCKED FILE"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND match(act,"REQ_BLOCKED.*"), "Blocked", 1==1, "other")
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
