Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple search with eval. Why is no table shown?

alex1895
Path Finder
‎02-19-2016 10:32 AM

Here is the search:

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true")| table cat | where check_cat="true"

I get events back from the search,t but the table is not built up.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-03-2020 05:44 AM

Why use case() here instead of if()?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-03-2020 01:46 PM

there is no else operation.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-04-2020 07:16 AM

Sure there is: |eval check_cat=if(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true",null())

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 12:53 PM

Thanks both searches work. I realized that the Boolean expressions are case sensitive thats why my searches also did not work.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-19-2016 01:24 PM

Yes, when used in EVAL/WHERE strings are case-sensitive, but if used in base search OR SEARCH command, they are not.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2016 10:59 AM

Does Verbose Mode show events with the 'cat' field having the specified values?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 11:52 AM

Yes, the 'cat' field has specified values. But for some reason the eval filter does not work. The events also show cat field values excluded in the eval filter.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...