Splunk Search

Limited Search to 2 Categories

jaywilwk
Engager

The search below is taking anything that contains IBC Allow in the category and repurposing it to a new Category. Only thing is, I'm not able to capture the IBC Allows stuff as well from the category and repurpose it to the new Category. How can I accomplish this?

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb by GW

Tags (3)
0 Karma

jaywilwk
Engager

If I run this it will return results back for IBC Allow and IBC Allows.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you run following, does it returns rows with category="IBC Allow" only or both?

index=proxysg sourcetype=proxysg category="IBC Allow*"

0 Karma

jaywilwk
Engager

It didn't work. It's still not capturing the IBC Allows. It's only capturing IBC Allow.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Per definition of LIKE it should [ like(category,"IBC Allow%") where % is wildcard character]. Try the search that I provided earlier and see if that's matching both 'IBC Allow' and 'IBC Allows'

0 Karma

jaywilwk
Engager

the like condition isn't capturing IBC Allow and IBC Allows; it's only capturing IBC Allow. I've done a search to compare the results and it's not capturing both. It's only capturing IBC Allow.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Well with condition 'like(category,"IBC Allow%")', it's capturing 'IBC Allow' 'IBC Allows' etc basically anything that starts with 'IBC Allow'. To capture other categories, you need to added conditions for those as well (e.g. category="IBC Allow*" OR category="softwhitelist" OR category="shopping"). If the no of categories to be included is high but categories to be excluded is small, you can use 'NOT' to exclude them instead of providing big inclusion list.

0 Karma

wpreston
Motivator

How about:

index=proxysg sourcetype=proxysg | eval Category=if(category like "IBC All%", "IBC","Non-IBC") | ...rest of your search...
0 Karma

jaywilwk
Engager

In the Category field with a capital "C", there are multiple categories for instance: IBC Allow, IBC Allows, Non-IBC, softwhitelist, shopping, etc... What I'm trying to do is grab all of the IBC Allow and IBC Allows stuff and put them into one category. My current search only grabs IBC Allow; it doesn't grab both of them.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Based on the filters you've applied, I guess the search cab be simplified as follow:

index=proxysg sourcetype=proxysg category="IBC Allow*" | timechart per_second(eval(round(src_bytes*8/1024/1024,2))) AS IBC_Traffic_Mb by GW

What do you mean by " capture the IBC Allows stuff as well from the category"? There are some special information present in field category which you want to display?

0 Karma

reed_kelly
Contributor

Your search would be simpler and more efficient if you started it with:

index=proxysg sourcetype=proxysg Category="IBC Allow*"

Then the subsequent search would not be necessary.

It's not clear to me exactly what you are trying to do.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...