Splunk Search

Receiving error in search to compare two fields

gustavobrgyn
New Member

Where is the error?

(index=paloalto  sourcetype="pan:threat" action=allowed severity=critical src_interface="ethernet1/2.110") OR (index=trend sourcetype="deepsecurity-intrusion_prevention")  | eval cs23=replace(cs1, "\"", "") | eval match=case("threat:cve" == cs23,"Yes","threat:cve" != cs23,"No") | stats count by match
0 Karma

cmerriman
Super Champion

Nevermind my comment - I'm pretty sure I know what's wrong.

You're using "threat:cvs" which makes that a string, and you want to match two fields..

Try using single quotes instead to have Splunk grab the values of that field instead.

 | eval match=case('threat:cve' = cs23,"Yes",'threat:cve' != cs23,"No")
0 Karma

cmerriman
Super Champion

what is the error you are getting?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...