Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Like Command with special charecter

Susha
Engager
‎08-04-2021 11:58 AM

Hi Team,

I am trying to run below query .. now here problem is its not showing any  "Blocked" data .. its showing only "Non access Not Blocked " .. is there any syntax error in * OR %? please suggest ..

:::|| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND act= "REQ_BLOCKED*" ,"Blocked",
Like(src,"222.22.222.%") AND act="REQ_BLOCKED*","Blocked",
Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Not Blocked",
Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Not Blocked",
NOT Like(src,"11.11.111.%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"222.22.222..%") AND act="REQ_BLOCKED*","Non access Blocked",
NOT Like(src,"11.11.111.%") AND act!="REQ_BLOCKED*","Non access Not Blocked",
NOT Like(src,"222.22.222..%") AND act!="REQ_BLOCKED*","Non access Not Blocked") | stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"

Labels (2)
Labels
0 Karma
Reply

Susha
Engager
‎08-05-2021 01:12 AM

@jotne i have  below 2 queries now ..

1.now again getting only Blocked and Not Blocked ..

2.how can we go with" act!="REQ_BLOCKED*","Not Blocked"," does it would be "Notmatch(act,"REQ_BLOCKED*")"

....
| eval BlockedStatus =
case(Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*")," Blocked",1==1," Not Blocked",Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Blocked",1==1,"Not Blocked",
NOT Like(src,"11.11.111.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non accessNot Blocked",
NOT Like(src,"222.22.222.%") AND match(act,"REQ_BLOCKED*"),"Non access Blocked",1==1,"Non access Not Blocked")

| stats count by Customer , BlockedStatus | rename Customer as "Local Market",count as "Total Critical Events"

0 Karma
Reply

jotne
Builder
‎08-04-2021 12:20 PM

When you use AND in case, you need == not = to make things to work.

You can also use CIDR to match IP range.

Example

 

| makeresults 
| eval src="11.11.111.5", act="REQ_BLOCKED"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND act=="REQ_BLOCKED", "Blocked", 1==1, "other")

 

This will give "Blocked"

You can not use *  in Case so to match part of field.

| makeresults 
| eval src="11.11.111.5", act="REQ_BLOCKED FILE"
| eval BlockedStatus=case(cidrmatch("11.11.111.0/24",src) AND match(act,"REQ_BLOCKED.*"), "Blocked", 1==1, "other")
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...