Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple search with eval. Why is no table shown?

alex1895
Path Finder
‎02-19-2016 10:32 AM

Here is the search:

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true")| table cat | where check_cat="true"

I get events back from the search,t but the table is not built up.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-03-2020 05:44 AM

Why use case() here instead of if()?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-03-2020 01:46 PM

there is no else operation.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-04-2020 07:16 AM

Sure there is: |eval check_cat=if(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true",null())

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 12:53 PM

Thanks both searches work. I realized that the Boolean expressions are case sensitive thats why my searches also did not work.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-19-2016 01:24 PM

Yes, when used in EVAL/WHERE strings are case-sensitive, but if used in base search OR SEARCH command, they are not.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2016 10:59 AM

Does Verbose Mode show events with the 'cat' field having the specified values?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 11:52 AM

Yes, the 'cat' field has specified values. But for some reason the eval filter does not work. The events also show cat field values excluded in the eval filter.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...