Splunk Search

Like Command with special charecter

Susha
Engager

Hi Team,

I am trying to run below query .. now here problem is its not showing any  "Blocked" data .. its showing only "Non access Not Blocked " .. is there any syntax error in * OR %? please suggest ..

:::|| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND act= "REQ_BLOCKED*" ,"Blocked",
Like(src,"222.22.222.%") AND act="REQ_BLOCKED*","Blocked",
Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Not Blocked",
Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Not Blocked",
NOT Like(src,"11.11.111.%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"222.22.222..%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Non access Not Blocked",
NOT Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Non access Not Blocked") | stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"

Labels (1)
0 Karma

Susha
Engager

@jotne i have  below 2 queries now ..

1.now again getting only Blocked and Not Blocked ..

2.how can we go with" act!="REQ_BLOCKED*","Not Blocked"," does it would be "Notmatch(act,"REQ_BLOCKED*")"

....
| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*")," Blocked",1==1," Not Blocked",Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Blocked",1==1,"Not Blocked",
NOT Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non accessNot Blocked",
NOT Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non access Not Blocked")

| stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"

0 Karma

jotne
Builder

When you use AND in case, you need == not = to make things to work.

You can also use CIDR to match IP range.

Example

 

| makeresults 
| eval src="11.11.111.5", act="REQ_BLOCKED"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND act=="REQ_BLOCKED", "Blocked", 1==1, "other")

 

This will give "Blocked"

You can not use *  in Case so to match part of field.

| makeresults 
| eval src="11.11.111.5", act="REQ_BLOCKED FILE"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND match(act,"REQ_BLOCKED.*"), "Blocked", 1==1, "other")
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...