Splunk Search

Receiving error in search to compare two fields

New Member

Where is the error?

(index=paloalto  sourcetype="pan:threat" action=allowed severity=critical src_interface="ethernet1/2.110") OR (index=trend sourcetype="deepsecurity-intrusion_prevention")  | eval cs23=replace(cs1, "\"", "") | eval match=case("threat:cve" == cs23,"Yes","threat:cve" != cs23,"No") | stats count by match
0 Karma

Super Champion

Nevermind my comment - I'm pretty sure I know what's wrong.

You're using "threat:cvs" which makes that a string, and you want to match two fields..

Try using single quotes instead to have Splunk grab the values of that field instead.

 | eval match=case('threat:cve' = cs23,"Yes",'threat:cve' != cs23,"No")
0 Karma

Super Champion

what is the error you are getting?

0 Karma